伺服器的 BIOS 保護機制

NIST (National Institute of Standards and Technology) 是美國的政府機關 (國家標準技術研究所),訂定了非常多的標準。像是 DES 的制定 (NIST 前身,NBS - National Bureau of Standards) 與 AES 的選拔都是 NIST 的成果。

Slashdot 上看到 NIST 對於伺服器 BIOS 的保護機制提出建議:「NIST Publishes Draft Guidelines For Server BIOS Protection」,NIST 原始公告則是在「Security First: New NIST Guidelines on Securing BIOS for Servers」。都有原始 PDF 連結可以直接點。

BIOS Protection Guidelines for Servers ToC

標題是「BIOS Protection Guidelines for Servers」,目前還是在 draft 階段,頁數也還不太多...

請更新 HP 印表機的韌體...

HP 發了安全通告「HPSBPI02728 SSRT100692 rev.2 - Certain HP Printers and HP Digital Senders, Remote Firmware Update Enabled by Default」,在安全通告內列出的印表機都有安全問題,「允許遠端安裝未經授權的印表機韌體」,攻擊者可以遠端直接安裝有木馬的韌體:

A potential security vulnerability has been identified with certain HP printers and HP digital senders. The vulnerability could be exploited remotely to install unauthorized printer firmware.

另外可以參考 CVE-2011-4161 的說明:

The default configuration of the HP CM8060 Color MFP with Edgeline; Color LaserJet 3xxx, 4xxx, 5550, 9500, CMxxxx, CPxxxx, and Enterprise CPxxxx; Digital Sender 9200c and 9250c; LaserJet 4xxx, 5200, 90xx, Mxxxx, and Pxxxx; and LaserJet Enterprise 500 color M551, 600, M4555 MFP, and P3015 enables the Remote Firmware Update (RFU) setting, which allows remote attackers to execute arbitrary code by using a session on TCP port 9100 to upload a crafted firmware update.

能更新的就想辦法更新吧,無法更新的看看有沒有辦法處理 port 9100...