Forum Discussion
Improved Printer Fingerprinting
Summary
This document addresses an issue where network printers generate unnecessary prints when scanned, even with the "Don't Scan Printers" setting enabled. The fix involves improving the SNMP identification process for printers by falling back to default community strings and ports if an incorrect community string is initially configured.
Background
Currently, if a customer configures an incorrect SNMP v1/v2(c) community string for a device, Plugin ID 11933 / "Do not scan printers" fails to revert to using well-known, default SNMP v1/v2(c) community strings and ports, unlike other plugins. This failure can prevent accurate identification of network printers, leading to them being scanned and in some cases, may inadvertently queue print jobs on printers
Impact
The following assumes the user has enabled the "Do not scan printers" setting in their scan policy and the network printer is correctly identified as such:
- Potential Decrease in Reported Vulnerabilities: Network printers will be less heavily scanned, potentially leading to a decrease in reported vulnerabilities related to these devices.
- Slight Increase in Packet Traffic: There will be an increase of approximately three packets per host as the system attempts fallback SNMP connections.
- Printers Marked as "Dead": Network printers that are successfully identified via SNMP will be marked as "dead" and will not be scanned further.
This change aims to enhance the effectiveness of identifying network printers using SNMP, thereby reducing unnecessary and potentially damaging traffic directed at these devices. The resulting decrease in reported vulnerabilities is an expected outcome, as identified printers will no longer be subjected to heavy scanning.
Users can continue to scan network printers by enabling the "Scan Network Printers" setting under “Host Discovery -> Fragile Devices -> Scan Network Printers” in the scan policy. This ensures that printers are scanned and not marked as dead, irrespective of fingerprinting.
Affected Plugins
11933 ( "Do not scan printers")
Affected Scan Policy Settings
Discovery -> Host Discovery -> Fragile Devices -> Scan Network Printers
Target Release Date: Monday, September 15, 2025
2 Replies
Slight delay on release for this one. We will now shoot for Monday, September 15.
Some additional information with the challenges of scanning printers, not just with Tenable products, but any type of scanner.
Ports of concern:PORT 9100
Most printers use AppSocket, also known as Port 9100, RAW, JetDirect, or Windows TCPmon which is a protocol that was developed by Tektronix.
It is considered as 'the simplest, fastest, and generally the most reliable network protocol used for all printers' though 'it also offers no security and is often an attack vector with printers'
When they say attacked, this can just mean that they are sent TCP packets that make them print rubbish out, thus effectively doing a Denial of Service attack.PORT 515
The Line Printer Daemon protocol/Line Printer Remote protocol (or LPD, LPR) is a network protocol for submitting print jobs to a remote printer. The original implementation of LPD was in the Berkeley printing system in the 2.10 BSD UNIX operating system in 1988; the LPRng project also supports that protocol. The LPD Protocol Specification is documented in RFC 1179.LPD printing normally happens over port 515.PORT 631
The Internet Printing Protocol (IPP) is an Internet protocol for communication between client devices (computers, mobile phones, tablets, etc.) and printers (or print servers). IPP can run locally or over the Internet. Unlike other printing protocols, IPP also supports access control, authentication, and encryption, making it a much more capable and secure printing mechanism than older ones. IPP is supported by over 98% of printers sold today. IPP printing normally happens over port 631. It is the default protocol in Android and iOS.
