Manualshelf

Operating instructions

ManualsBrandsRicoh ManualsComputer equipmentLD533CG
31323334353637383940
CRP-C0266-01
34
Number Category name of testing item
Number of
testing item
16 Password entry 9
17 Confirming the firm validity 3
18 Encryption of HDD data 1
19 Generation of encryption key and update processing 2
Total 192
c. Result
All the executed evaluator independent testing was correctly completed, and the evaluator
confirmed the behavior of TOE. The evaluator confirmed consistencies between the expected
behavior and all the testing results.
7.3.3 Evaluator Penetration Testing
The evaluator devised and conducted the necessary evaluator penetration testing about the
possibility of exploitable concern at assumed environment of use and attack level. It explains
the penetration testing executed by the evaluator as follows.
1) Summary of the Evaluator Penetration Testing
Summary of the penetration testing executed by the evaluator is as follows.
a. Vulnerability of concern
The evaluator searched into the provided evidence and the public domain information for the
evaluator potential vulnerabilities, and then identified the following vulnerabilities which
require the penetration testing.
Table 7-5 Anticipated Vulnerabilities
No. Anticipated Vulnerabilities
V1
When access to the TOE through the Web browser is established, the TOE
may be accessed through direct call to the CGI without the procedures of
the user identification and authentication.
V2
If a general user is registered with the same user ID as an administrator,
administrator roles may be assigned to the general user at login.
V3
Some interfaces may allow access to the TOE's protected assets prior to
user identification and authentication through the operation panel or Web
browser.
V4
If general user ID and administrator ID cannot be distinguished, and
general user can register with the same ID as an administrator, then
general user may obtain an administrator privilege.
V5
The TOE's USB port may run an unauthorised program that causes
disclosure of protected assets. And unauthorised access to the HDD may
also be gained through connection of a computer to the TOE's USB port.
V6
If an error occurs during the HDD check at start-up and then the HDD
initialisation process starts, the TOE's security may be weakened.
V7
Users accessing the TOE from the operation panel or Web browser at
start-up may obtain access before the TOE's Security Functions come into
effect.
V8
The TOE may open unnecessary TCP/IP ports, and the ports in use may
affect enforcement of SFR.
V9
Vulnerabilities in cross-site scripting and cross-site request forgery.