Xerox WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Version 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper ©2010 Xerox Corporation. All rights reserved. Xerox and the sphere of connectivity design are trademarks of Xerox Corporation in the United States and/or other counties. Other company trademarks are also acknowledged. Document Version: 1.00 (May 2010). Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 1. INTRODUCTION ..................................................................................................................................5 1.1. Purpose .................................................................................................................................................................................... 5 1.2. Target Audience ..................................................
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3.2. Login and Authentication Methods ........................................................................................................................... 24 3.2.1. System Administrator Login [All product configurations] ........................................................................................... 24 3.2.2. User authentication ......................................................................
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 1. Introduction The WorkCentre 5735/5740/5745/5755/5765/5775/5790 multifunction systems are among the latest versions of Xerox copier and multifunction devices for the general office. 1.1. Purpose The purpose of this document is to disclose information for the WorkCentre products with respect to device security.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2. Device Description This product consists of an in put document handler and scanner, marking engine including paper path, controller, and user interface. Document Feeder & Scanner (IIT) Graphical User Interface (GUI) Paper Trays Marking Engine (IOT) High-volume finisher and booklet maker accessories High-capacity feeder accessory Figure 2-1 WorkCentre Multifunction System 2.1.
Di sp lay Bu tto ns an d Physical external interface PCI Bus Optical interface Button and TOE internal wiring (proprietary) XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Figure 2-2 System functional block diagram 2.1.2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Security Function Subsystem Controller Graphical User Interface Security Management Table 1 Security Functions allocated to Subsystems 2.2. Controller 2.2.1. Purpose The controller provides both network and direct-connect external interfaces, and enables copy, print, email, network scan, server fax, internet FAX, and LanFAX functionality.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Non-Volatile Memory Type (Flash, EEPROM, etc) Size User Modifiable (Y/N) Flash ROM 128MB N Function or Use Process to Sanitize Single Board Controller No user image data stored (Boot code and system file) NVRAM 128KB N Single Board Controller No user image data stored.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.2.3. External Connections Figure 2-3 Back panel connections Interface Description / Usage FAX line 1, RJ-11 Supports FAX Modem T.30 protocol only FAX line 2, RJ-11 Supports FAX Modem T.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper USB Target port Direct-connect printing; Xerox diagnostic tools (PSW and CAT) and Xerox copier assistant Table 5 USB Ports 2.2. Fax Module 2.3.1. Purpose The embedded FAX service uses the installed embedded fax card to send and receive images over the telephone interface. 2.3.2. Hardware The Fax module contains the fax modem and RJ-11 connector. The Fax modem implements the T.30 fax protocol.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Volatile Memory Description Type (SRAM, DRAM, etc) Size User Modifiable (Y/N) Function or Use Process to Clear: SRAM 6KB N Scanner volatile memory; no user image data stored Power Off System Additional Information: All memory listed above contains code for execution and configuration information. No user or job data is permanently stored in this location.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Table 8 User Interface memory components 2.6. Marking Engine (also known as the Image Output Terminal or IOT) 2.6.1. Purpose The Marking Engine performs copy/print paper feeding and transport, image marking and fusing, and document finishing. Images are not stored at any point in these subsystems. 2.6.2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Figure 2-4 Controller Operating System layer components Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.7.3. Network Protocols Figure 2-5 is an interface diagram depicting the protocol stacks supported by the device, annotated according to the DARPA model. Figure 2-5 IPv4 Network Protocol Stack Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Figure 2-6 IPv6 Network Protocol Stack 2.8. Logical Access 2.8.1. Network Protocols The supported network protocols are listed in Appendix D and are implemented to industry standard specifications (i.e. they are compliant to the appropriate RFC) and are well-behaved protocols. There are no ‘Xerox unique’ additions to these protocols. 2.8.1.1. IPSec The device supports IPSec tunnel mode.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper device-initiated operations (like scanning) cannot assume the existence of the tunnel unless a print job (or other client initiated action) has been previously run since the last boot at either end of the connection. 2.8.2. Ports The following table summarizes all potential open ports and subsequent sections discuss each port in more detail.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.8.2.4. Port 80, HTTP The embedded web pages communicate to the machine through a set of unique APIs and do not have direct access Network Controller request http server response Network I n t e request r machine n information a l response A P I to machine information: The HTTP port can only access the HTTP server residing in the controller. The embedded HTTP server is Apache.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.8.2.5. Port 88, Kerberos This port is only open when the device is communicating with the Kerberos server to authenticate a user, and is only used only to authenticate users in conjunction with the Network Scanning feature. To disable this port, authentication must be disabled, and this is accomplished via the Local User Interface. This version of software has Kerberos 5.1.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.8.2.7. Ports 137, 138, 139, NETBIOS For print jobs, these ports support the submission of files for printing as well as support Network Authentication through SMB. Port 137 is the standard NetBIOS Name Service port, which is used primarily for WINS. Port 138 supports the CIFS browsing protocol. Port 139 is the standard NetBIOS Session port, which is used for printing.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2.8.2.13. Port 515, LPR This is the standard LPR printing port, which only supports IP printing. It is a configurable port, and may be explicitly enabled or disabled in the Properties tab of the device’s web pages. 2.8.2.14. Port 631, IPP This port supports the Internet Printing Protocol. It is not configurable. This is disabled when the http server is disabled. 2.8.2.15.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3. System Access 3.1. Authentication Model The authentication model allows for both local and network authentication and authorization. In the local and network cases, authentication and authorization take place as separate processes: a user must be authenticated before being authorized to use the services of the device.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Figure 3-1 Authentication and Authorization schematic Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3.2. Login and Authentication Methods There are a number of methods for different types of users to be authenticated. In addition, the connected versions of the product also log into remote servers. A description of these behaviors follows. 3.2.1. System Administrator Login [All product configurations] Users must authenticate themselves to the device.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 2) The Domain Controller responds back to the device whether or not the user was successfully authenticated. If (2) is successful, steps 3 – 5 proceed as described in steps 4 – 6 of the Kerberos section.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3) The device sends an authentication request directly to the Domain Controller through the router using the IP address of the Domain Controller. 4) The Domain Controller responds back to the device through the router whether or not the user was successfully authenticated. If (4) is successful, steps 5 – 7 proceed as described in steps 4 - 6 of the Kerberos section. 3.2.2.3.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3.4. Diagnostics 3.4.1. Service [All product configurations] To access onboard diagnostics from the local user interface, Xerox service representatives must enter a unique 4-digit password. This PIN is the same for all product configurations and cannot be changed. For additional security, a Xerox authorized service representative can enable a “secure diagnostics” mode.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3.4.4.1. Access The Xerox Service Technician must be authenticated twice: 1. The first password, called the PSW Lock Facility, is obtained by calling a Xerox service location and providing the CSE employee number and the serial number of the PSW. The password is then given to the Xerox Service Technician, and is valid for 90 days. When the password expires, the Xerox Service Technician must call in again.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3) The PSW will send a request for Diagnostic service and a password. 4) Assuming the password is authentic, the Marking Engine will either execute a Marking Engine diagnostic, or else forward the diagnostic request to the controller. If this is a network diagnostic, the controller will execute the diagnostic and report results back to the Marking Engine.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 3.4.5. Summary As stated above, accessibility of customer documents, files or network resources is impossible via the PSW. In the extremely unlikely event that someone did spoof the Xerox proprietary protocols, only diagnostic activities can be executed. Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 4. Security Aspects of Selected Features 4.1. Audit Log The device maintains a security audit log. Recording of security audit log data can be enabled or disabled by the SA. The audit log is implemented as a circular log containing a maximum of 15000 event entries, meaning that once the maximum number of entries is reached, the log will begin overwriting the earliest entry.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 8 IFAX 9 Email job 10 Audit Log Disabled 11 Audit Log Enabled 12 Copy 13 Efax 14 Lan Fax Job 15 Data Encryption enabled 16 Manual ODIO Full started 17 Manual ODIO Full complete 20 Scan to Mailbox job 21 Delete File/Dir Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 22 USB Thumbdrive 23 Scan to Home 24 Scan to Home job 25 Copy store job 26 PagePack login 27 Postscript Passwords 29 Network User Login 30 SA login 31 User Login 32 Service Login Diagnostics 33 Audit log download 34 IIO feature status 35 SA pin changed 36 Audit log Transfer Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 37 SSL 38 X509 certificate 39 IP sec 40 SNMPv3 41 IP Filtering Rules 42 Network Authentication 43 Device clock 44 SW upgrade 45 Cloning 46 Secure scanning 47 Secure authentication 48 Service login copy mode 49 Smartcard access 50 Process terminated 51 ODIO scheduled Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description Entry Data 53 CPSR Backup 54 CPSR Restore 55 SA Tools Access Admin 60 Device Clock NTP Enable/Disable 61 Grant / Revoke Admin 62 Smartcard (CAC/PIV) Enable/Disable/Configure 63 IPv6 Enable/Disable/Configure 64 802.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 2 System shutdown 3 Manual ODIO Standard started Manual ODIO Standard complete 4 5 Print job 6 Network scan job 7 Server fax job 8 IFAX 9 Email job 10 Audit Log Disabled 11 Audit Log Enabled 12 Copy Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 13 Efax 14 Lan Fax Job 15 Data Encryption enabled 16 Manual ODIO Full started 17 Manual ODIO Full complete 20 Scan to Mailbox job 21 Delete File/Dir 22 USB Thumbdrive 23 Scan to Home 24 Scan to Home job 25 Copy store job 26 PagePack login 27 Postscript Passwords Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 29 Network User Login 30 SA login 31 User Login 32 Service Login Diagnostics 33 Audit log download 34 IIO feature status 35 SA pin changed 36 Audit log Transfer 37 SSL 38 X509 certificate 39 IP sec 40 SNMPv3 41 IP Filtering Rules 42 Network Authentication 43 Device clock Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Event ID Event description 44 SW upgrade 45 Cloning 46 Secure scanning 47 Secure authentication 48 Service login copy mode 49 Smartcard access 50 Process terminated 51 ODIO scheduled Entry Data Device name Device serial number Completion Status (Success, Failed) Device name Device serial number Completion Status (Success, Failed) Device name Device serial number Completion Status (Certificate Valida
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper On demand, the SA will be able to download a report that shows activity for all of the users. The SA can add, modify or remove users and their allocations at any point. An end user will be able to review their balances by entering a User ID at the LUI or web UI. 4.3. Automatic Meter Reads Automatic Meter Reads (AMR) is a service that allows devices to electronically report meter readings back to Xerox.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 4.5.1. Algorithm The overwrite mechanism for both IIO and ODIO conforms to the U.S. Department of Defense Directive 2 5200.28-M (Section 7, Part 2, paragraph 7-202 . The algorithm for the Image Overwrite feature is: Step 1: Pattern #1 is written to the sectors containing temporary files (IIO) or to the entire spooling area of the disks (ODIO). (hex value 0x35 (ASCII “5”)).
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 5. Responses to Known Vulnerabilities 5.1. Security @ Xerox (www.xerox.com/security) Xerox maintains an evergreen public web page that contains the latest security information pertaining to its products. Please see www.xerox.com/security. Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 6. APPENDICES 6.1. Appendix A – Abbreviations API AMR ASIC CAT CSE DADF/DADH DHCP DNS DDNS DRAM EEPROM EGP GB HP HTTP IBM ICMP IETF IFAX IIO IIT IT IOT IP IPSec IPX LAN LDAP LDAP Server LED LPR MAC MIB n/a NDPS NETBEUI NETBIOS NOS Application Programming Interface Automatic Meter Reads Application-Specific Integrated Circuit. This is a custom integrated circuit that is unique to a specific product.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper NVRAM NVM ODIO PCL PDL PIN PSW PWBA PWS RFC SA SLP SNMP SRAM SSDP SSL TCP TIFF UI URL UDP WebUI XCMI XSA Non-Volatile Random Access Memory Non-Volatile Memory On-Demand Image Overwrite Printer Control Language Page Description Language Personal Identification Number Portable Service Workstation Printed Wire Board Assembly Common alternative for PSW Required Functional Capability System Administrator Service Location
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 6.2. Appendix B – Supported MIB Objects NOTES : (1) The number of objects shown per MIB group represents the number of objects defined by the IETF standard for that MIB group. It does not represent the instantiation of the MIB group which may contain many more objects. (2) Some MIB objects defined within Input and Output groups of the Printer MIB (RFC 1759) have a MAX-ACCESS of RW.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper RFC 1759 - Printer MIB Group RFC 1213 - System group RFC 1213 - Interface group RFC 1514 - Storage group RFC 1514 - Device group General group [7 objects] Covers group [3 objects] Localization group [4 objects] Responsible Party group [2 objects] - OPTIONAL System Resources group [4 objects] Input group [12 objects] Extended Input group [7 objects] - OPTIONAL Input Media group [4 objects] - OPTIONAL Output group [6 o
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper RFC 1213 - MIB-II for TCP/IP group Transmission group [0 objects] SNMP group [28 objects] System Object Resources Table/objects per RFC 1907 [8 objects] WorkCentre not applicable because the group has not yet been defined by the IETF supported supported Additional Capabilities / Application Support ability to change GET, SET, TRAP PDU community names Printer MIB traps SNMP Generic Traps Vendor-specific Traps set tr
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 6.3. Appendix C –Standards Controller Hardware PCI Specification (PCI Local Bus Specification Revision 2.1) 100 Megabit Ethernet (IEEE 802.3) Universal Serial Bus 1.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper Function Document Printing Application (DPA) Appletalk RFC/Standard 10175 Inside Appletalk, Second Edition Printing Description Languages Postscript Language Reference, Third Edition PCL6 (PCL5E 5SI emulation) PCL6 (PCLXL 5M emulation) TIFF 6.0 JPEG Portable Document Format Reference Manual Version 1.3 Ver. 2.
XEROX WorkCentre 5735/5740/5745/5755/5765/5775/5790 Information Assurance Disclosure Paper 6.4. Appendix E – References Kerberos FAQ faq.html http://www.nrl.navy.mil/CCS/people/kenh/kerberos- IP port numbers http://www.iana.org/assignments/port-numbers Ver. 2.