Due to a recent monthly scan of our company's internal network finding that our HP LaserJet printers (2100, 3005, 3005d, 3015, 3600n, 4345 mfp, M5035) are vulnerable and need an upgraded OpenSSL certificate I'm at two decisions. I presume I could disable EWS access to elimniate this vulernability or I could upgrade the OpenSSL certificates. I assume that HP uses OpenSSL for the printer's self-signed certificates? Becasue the self-signed certificates are installed on our printers. We didn't make our own with OpenSSL or go through a CA. The message from the Tenable Nessus scan for the laserjet printer is: The OpenSSL service on the remote host is vulnerable to a man-in-the-middle (MiTM) attack, based on its response to two consecutive 'ChangeCipherSpec' messages during the incorrect phase of an SSL/TLS handshake. OpenSSL 0.9.8 SSL/TLS users (client and/or server) should upgrade to 0.9.8za. OpenSSL 1.0.0 SSL/TLS users (client and/or server) should upgrade to 1.0.0m. OpenSSL 1.0.1 SSL/TLS users (client and/or server) should upgrade to 1.0.1h.
I found a manual HP's website descirbing how to disable EWS on Laserjet printers. I'm running into a problem though in that the EWS configs for my printers dont' matchup with the screenshots and instructions in the manuals. I presume this could be due to my printers running a older firmware version than the printers used in the manuals? I can't find anything as simple as what is given in the manuals. I find simply Disable EWS in the manual provided in the link you mentioned but I can't find anything that simple in the EWS configs for my printers. The closest thing I can find in EWS for my printers, and this is stretching I'm sure, is unchecking the box "Allow HTTP access" but that only disables EWS HTTP access for the printers.
I have password protected the EWS access. I guess I should explain why I want to disable EWS. 1) We don't use it. :) We simply use the printers for printing and scanning. The printers have been managed directly from the printer control panel instead of via EWS. 2) A Tenable Nessus scan revealed that the OpenSSL certificates on the printers are vulnerable due to their being an older version of OpenSSL. The certificates installed on the printers aren't from a CA, they are the self-signed jetdirect certificates HP supplies with the printers. So I assume my only two options are to try and get an updated version of OpenSSL from HP and to disable web access to the printers. The latter seems to be the easier option since we don't use the EWS config, therefore wouldn't be giving up anything for how we use the printers.
Thoughts?