Phaser 3600 Security Information
Xerox Security Bulletin XRX12-011 v1.1 (PDF 86.6K)
November 29, 2012
Digital Signature of Software Upgrade Files
NOTE: This bulletin was reissued at version 1.1 to remove the Phaser 3635MFP. An issue with the Phaser 3635MFP will be resolved in a future version of this bulletin.
The Xerox products Phaser 3600, Phasers 4600/4620 and the WorkCentre 3550 were shipped without the ability to accept software upgrade files with digital signatures. The ability to accept only software upgrade files with digital signatures has been added for the indicated products. In addition, the indicated products now include the software upgrade setting in the Configuration Report and have added the capability to enable/disable software upgrade via SNMP.
Firmware solutions that will now only accept software upgrades files with digital signatures have been provided. These solutions are designed to be installed by the customer. The firmware solutions can be accessed via the links below or via the links in this bulletin announcement on: http://www.xerox.com/security
Phaser 3600: http://www.support.xerox.com/support/_all-products/file-download/enus.html?contentId=122549
Phaser 4600/4620: http://www.support.xerox.com/support/phaser-4600-4620/downloads/enza.html?operatingSystem=win7
WorkCentre 3550: http://www.support.xerox.com/support/workcentre-3550/downloads/enza.html?operatingSystem=win7
Xerox Security Bulletin XRX12-003 v1.1 (PDF 185.5K)
March 07, 2012
NOTE: We are re-issuing this bulletin due to a spelling error of the name of one of the researchers. No technical content in the bulletin has changed.
Vulnerabilities exist that, if exploited, could allow remote attackers to insert arbitrary code into the device. This could occur with a specifically crafted Postscript or firmware job submitted to the device. If successful, an attacker could make unauthorized changes to the system configuration; however, customer and user passwords are not exposed.
As part of Xerox’s on-going efforts to protect customers, the ability to accept these specially crafted jobs can be disabled for the affected products listed in the bulletin. Links for the software needed are contained inside the bulletin.
Phaser 3600 Statement of Volatility (PDF 14.9K)
November 18, 2008