A guideline to popular HP Jetdirect devices and the firmware they should be running as of August of 2007 is shown in Table 4:

 

HP Jetdirect Product Number

 

 

Firmware Version

 

 

 

 

 

 

J7949E Embedded Jetdirect

 

V.33.14/V.33.15

 

J4100A 400n 10Mbps MIO Print server

 

K.08.49

 

J4106A 400n 10Mbps MIO Print server

 

K.08.49

 

J3110A 600n 10Mbps EIO Print server

 

G.08.49

 

J3111A 600n 10Mbps EIO Print server

 

G.08.49

 

J3113A 600n 10/100 EIO Print server

 

G.08.49

 

J4169A 610n 10/100 EIO Print Server

 

L.25.57

 

J6057A 615n 10/100 EIO Print Server

 

R.25.57

 

J3263A/J3263G 300x External Print server

 

H.08.60

 

J3265A 500X External 3-Port Print Server

 

J.08.60

 

J7983G 510X External 3-Port Print Server

 

J.08.60

 

J7942A/J7942G en3700 External USB 2.0 Print

 

V.28.22

 

Server

 

 

 

 

J7934A/J7934G 620n EIO 10/100 Print Server

 

V.29.20

 

J7960A/J7960G 625n EIO 10/100/1000 Print

 

V.29.29

 

Server

 

 

 

 

J7961A/J7961G 635n EIO 10/100/1000

 

V.36.11

 

IPv6/IPsec Print Server

 

 

 

Table 4 – Jetdirect Firmware Versions

NOTE: For some Embedded Jetdirect products, you’ll need to upgrade the printer/MFP firmware to update the JDI firmware.

Now that we covered enough background information, let’s look at some of the reported vulnerabilities and attacks on HP Jetdirect.

HP Jetdirect Hacks: TCP Port 9100

TCP port 9100 was one of the first ways developed for sending print data to a printer. Some public references talk about a print protocol that exists on TCP port 9100. There isn’t one. Raw data delivered to the TCP layer on the HP Jetdirect device is sent to the printer as if it had been delivered over a parallel port, serial port, or any other port. TCP port 9100 is the fastest and most efficient way of delivering data to a printer using the TCP/IP protocol suite.

The most common hack for TCP Port 9100 is send a job to that port that has some PJL commands in it. These PJL command can do a variety of things, one of the most common ones being to change the control panel display. Remember that HP Jetdirect is stripping off the TCP/IP headers and presenting this data directly to the printer. The printer is processing the PJL (data) as if the printer was directly connected to a PC. Many years ago, printer drivers would use the PJL command suite to control the printer in a variety of ways. As we can see, in the networking world, there is a potential for misuse.

How does an Administrator prevent TCP Port 9100 from being misused? Based upon what we’ve learned about HP Jetdirect so far, we know we have to control who can and who cannot establish a TCP connection to TCP Port 9100. Table 5 shows us some options, presented in the form of the least amount of security (option 1) to higher levels of security (options > 1):

7