Lexmark XC4342 Security White Paper - Page 26

Modem and internal network adapter are separate by design, No support for the PS fax mechanism

Get Lexmark XC4342 PDF manuals and user guides View all Lexmark XC4342 manuals
Add to My Manuals
Save this manual to your list of manuals

Page 26 highlights

Secure Network Interfaces 26 Modem and internal network adapter are separate by design Lexmark MFPs use a third-party fax chip to handle analog-to-digital processing, while the rest of the fax modem process is handled directly by the Lexmark firmware. The internal network adapter function is implemented separately from the modem capabilities, and the two functions are implemented on separate circuit cards. The fax processes and network adapter interaction are handled directly by the Lexmark firmware. Also, the Lexmark firmware is designed to prohibit direct interaction between the fax and network components. Modem is configured for fax only Control of the fax functionality is incorporated directly into the Lexmark firmware. The fax chip that sends and receives data over the phone line is directly controlled by the Lexmark firmware. The modem chip is in a mode that is even more restrictive than Class 1 mode, and it relies on the Lexmark firmware for composition and transmission of fax data. The firmware explicitly blocks the transmission of frames in data mode and allows only sending and receiving facsimile jobs. No support for the PS fax mechanism Some fax devices employ a mechanism known as PS Fax or PostScript ® emulation File Transfer. When two fax devices support PS Fax and connect through an analog phone session, PS Fax enables a print job to be transmitted in its original PostScript emulation format. This is faster and produces higher-quality output than converting the job to a bitmap at the sending end and transmitting the bitmap. However, the ability of the receiving device to accept non-image data exposes the device to security threats. The PostScript job itself can potentially include malicious functions, and the support for opening the connection for non-image data can leave the device vulnerable to other types of transmissions. For these reasons, the PS Fax capability is not supported on Lexmark MFPs. Phone lines do not provide way to update firmware Because the only way to change the behavior of the modem is to modify the firmware, how to accomplish it is a reasonable concern. Because the network connection is secure, the concern is the phone line because it is connected to the outside world. The nature of the Lexmark firmware and the fax operation of the modem, however, is to accept only fax frames-frames that contain image data. When these frames are combined, they are assembled and wrapped in PostScript emulation commands and submitted to the MFP interpreter as image data. No other data path is available, and no way for data that comes through the fax to be treated as anything but a fax image. If the data that is received does not represent an image, the data is purged as an invalid PostScript emulation job. There is no avenue by which modified firmware (or any sort of executable code) can be packaged as a fax job and become operable in a Lexmark device.

  • 1
  • 2
  • 3
  • 4
  • 5
  • 6
  • 7
  • 8
  • 9
  • 10
  • 11
  • 12
  • 13
  • 14
  • 15
  • 16
  • 17
  • 18
  • 19
  • 20
  • 21
  • 22
  • 23
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29
  • 30
  • 31
  • 32
  • 33
  • 34
  • 35
  • 36
  • 37
  • 38
  • 39
  • 40
  • 41
  • 42
  • 43
  • 44
  • 45
  • 46
  • 47
  • 48
  • 49
  • 50
  • 51
  • 52
  • 53
  • 54
  • 55
  • 56
  • 57
  • 58
  • 59
  • 60
  • 61
  • 62
  • 63
  • 64
Modem and internal network adapter are separate by design
Lexmark MFPs use a third-party fax chip to handle analog-to-digital processing, while the rest of the fax modem
process is handled directly by the Lexmark firmware. The internal network adapter function is implemented
separately from the modem capabilities, and the two functions are implemented on separate circuit cards. The
fax processes and network adapter interaction are handled directly by the Lexmark firmware. Also, the Lexmark
firmware is designed to prohibit direct interaction between the fax and network components.
Modem is configured for fax only
Control of the fax functionality is incorporated directly into the Lexmark firmware. The fax chip that sends and
receives data over the phone line is directly controlled by the Lexmark firmware. The modem chip is in a mode
that is even more restrictive than Class 1 mode, and it relies on the Lexmark firmware for composition and
transmission of fax data. The firmware explicitly blocks the transmission of frames in data mode and allows only
sending and receiving facsimile jobs.
No support for the PS fax mechanism
Some fax devices employ a mechanism known as PS Fax or PostScript
®
emulation File Transfer. When two fax
devices support PS Fax and connect through an analog phone session, PS Fax enables a print job to be
transmitted in its original PostScript emulation format. This is faster and produces higher-quality output than
converting the job to a bitmap at the sending end and transmitting the bitmap. However, the ability of the
receiving device to accept non-image data exposes the device to security threats. The PostScript job itself can
potentially include malicious functions, and the support for opening the connection for non-image data can
leave the device vulnerable to other types of transmissions. For these reasons, the PS Fax capability is not
supported on Lexmark MFPs.
Phone lines do not provide way to update firmware
Because the only way to change the behavior of the modem is to modify the firmware, how to accomplish it is
a reasonable concern. Because the network connection is secure, the concern is the phone line because it is
connected to the outside world. The nature of the Lexmark firmware and the fax operation of the modem,
however, is to accept only fax frames—frames that contain image data. When these frames are combined, they
are assembled and wrapped in PostScript emulation commands and submitted to the MFP interpreter as image
data. No other data path is available, and no way for data that comes through the fax to be treated as anything
but a fax image. If the data that is received does not represent an image, the data is purged as an invalid
PostScript emulation job. There is no avenue by which modified firmware (or any sort of executable code) can
be packaged as a fax job and become operable in a Lexmark device.
Secure Network Interfaces
26