Ärendetyp: 6 Diarienummer: 16FMV3774-43:1 Dokument ID CB-015 Uncontrolled copy when printed Template: CSEC_mall_doc, 7.0 HEMLIG/ enligt Offentlighets- och sekretesslagen (2009:400) 2017-03-09 Country of origin: Sweden Försvarets materielverk Swedish Certification Body for IT Security Certification Report Lexmark SFP Issue: 0.0, 2017-mar-09 Authorisation: Imre Juhász, Lead Certifier , CSEC Report Distribution: Arkiv Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 2 (20) Table of Contents 1 Executive Summary 3 2 Identification 5 3 Security Policy 6 4 Assumptions and Clarification of Scope 7 4.1 Usage Assumptions 7 4.2 Environmental Assumptions 7 4.3 Clarification of Scope 7 5 Architectural Information 9 6 Documentation 11 7 IT Product Testing 12 8 Evaluated Configuration 14 9 Results of the Evaluation 15 10 Evaluator Comments and Recommendations 17 11 Glossary 18 12 Bibliography 19 Appendix A Scheme Versions 20 A.1 Scheme/Quality Management System 20 A.2 Scheme Notes 20 Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 3 (20) 1 Executive Summary The Target of Evaluation (TOE) is the firmware of Lexmark’s Single Function Printer: Lexmark C4150, C6160, CS720, CS725, CS820 and Dell S5840. The TOE running on one of the supported specified hardware models constitutes a Single Function Printer (SFP). Firmware version:  YK.030.079CC: C6160, CS820  CB.030.079CC: C4150, CS720, CS725, S5840 Conformance is claimed to PP Identification: 2600.1, Protection Profile for Hardcopy Devices, Operational Environment A, version 1.0, dated January 2009 with the includ- ing packages:  PRT, SFR Package for Print Functions,  SMI, SFR Package for Shared-medium Interface Functions This Security Target claims demonstrable conformance to the Security Problem Defi- nition (APE_SPD), Security Objectives (APE_OBJ), Extended Components Defini- tions (APE_ECD), and the Common Security Functional Requirements (APE_REQ) of the referenced PP. This TOE performs the functions F.PRT and F.SMI as defined in the referenced PP and claims demonstrable conformance to the augmented SFR packages defined for each of these functions. There are five assumptions made in the ST regarding the secure usage and environ- ment of the SFP. The TOE rely on these being met in order to be able to counter the six threats, and to fulfill the four organizational security policy (OSP) in the ST. The assumptions, the threats and the organizational security policies are described in chap- ter 4 Assumptions and Clarification of Scope. The evaluation has been performed by Combitech AB and EWA-Canada. The evalua- tion was conducted in accordance with the requirements of Common Criteria, version 3.1, release 4, and the Common Methodology for IT security Evaluation, version 3.1, release 4. The evaluation was performed at the evaluation assurance level EAL3, augmented by ALC_FLR.2. Combitech AB is a licensed evaluation facility for Common Criteria under the Swe- dish Common Criteria Evaluation and Certification Scheme. Combitech AB is also accredited by the Swedish accreditation body SWEDAC according to ISO/IEC 17025 for Common Criteria evaluation. EWA-Canada operates as a Foreign location for Combitech AB within scope of the Swedish Common Criteria Evaluation and Certifi- cation Scheme. The certifier monitored the activities of the evaluator by reviewing all successive ver- sions of the evaluation reports. The certifier determined that the evaluation results confirm the security claims in the Security Target, and have been reached in agree- ment with the requirements of the Common Criteria and the Common Methodology for evaluation assurance level:  EAL 3 + ALC_FLR.2. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 4 (20) The certification results only apply to the version of the product indicated in the cer- tificate, and on the condition that all the stipulations in the Security Target are met. This certificate is not an endorsement of the IT product by CSEC or any other organ- isation that recognises or gives effect to this certificate, and no warranty of the IT product by CSEC or any other organisation that recognises or gives effect to this certificate is either expressed or implied. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 5 (20) 2 Identification Certification Identification Certification ID CSEC2016004 Name and version of the certified IT product Firmware for Single Function Printers Lexmark C4150, C6160, CS720, CS725, CS820 and Dell S5840 Firmware versions: YK.030.079CC: C6160, CS820 CB.030.079CC: C4150, CS720, CS725, S5840 Security Target Identification Lexmark C4150, C6160, CS720, CS725 and CS820 and Dell S5840 Single Function Printer Security Target EAL EAL3+ ALC_FLR.2 CCRA recognition for components up to EAL 2 and ALC_FLR only Sponsor Lexmark International Technologies S.A. Developer Lexmark International Technologies S.A. ITSEF Combitech AB Common Criteria version 3.1, revision 4 CEM version 3.1, revision 4 Certification completion date 2017-03-15 Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 6 (20) 3 Security Policy The TOE consists of seven security functions. Below is a short description of each of them. For more information, see Security Target [ST] Audit Generation The TOE generates audit event records for security-relevant events and transmits them to a remote IT system using the syslog protocol. Identification and Authentication When a touch panel or web session is initiated, the user is implicitly assumed to be the Guest (default) user. Per the evaluated configuration, the permissions for this user must be configured such that no access to TSF data or functions is allowed. Therefore, the user must successfully log in as a different user before any TSF data or functions may be accessed. The TOE supports I&A with a per-user selection of Username/Password Accounts (processed by the TOE) or integration with an external LDAP server (in the operation- al environment). Smart Card authentication may also be specified for users of the touch panel. Access Control Access controls configured for functions and menu access are enforced by the TOE. Management Through web browser and touch panel sessions, authorized administrators may con- figure access controls and perform other TOE management functions. D.DOC Wiping In the evaluated configuration, the TOE automatically overwrites RAM used to store user data as soon as the buffer is released. Secure Communication The TOE protects the confidentiality and integrity of all information exchanged over the attached network by using IPSec with ESP for all network communication. Cryp- tographic keys may be generated by the TOE or pre-shared keys may be entered by the administrator. Self Test During initial start-up, the TOE performs self tests on its cryptographic components and the integrity of the configuration data. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 7 (20) 4 Assumptions and Clarification of Scope 4.1 Usage Assumptions The following assumption about the usage are made: A.ADMIN.TRAINING Administrators are aware of the security policies and proce- dures of their organization, are trained and competent to follow the manufacturer’s guidance and documentation, and correctly configure and operate the TOE in accord- ance with those policies and procedures. A.ADMIN.TRUST Administrators do not use their privileged access rights for mali- cious purposes. A.USER.TRAINING TOE Users are aware of the security policies and procedures of their organization, and are trained and competent to follow those policies and proce- dures. 4.2 Environmental Assumptions The following assumption about the environment are made: A.ACCESS.MANAGED The TOE is located in a restricted or monitored environment that provides protection from unmanaged access to the physical components and data interfaces of the TOE. A.IPSEC IPSec with ESP is used between the TOE and all remote IT systems with which it communicates over the network using IPv4 and/or IPv6. 4.3 Clarification of Scope Four categories of threat agents are defined:  Persons who are not permitted to use the TOE who may attempt to use the TOE.  Persons who are authorized to use the TOE who may attempt to use TOE func- tions for which they are not authorized.  Persons who are authorized to use the TOE who may attempt to access data in ways for which they are not authorized.  Persons who unintentionally cause a software malfunction that may expose the TOE to unanticipated threats. The identified threats against the TOE are listed below:  T.CONF.ALT TSF Confidential Data may be altered by unauthorized persons  T.CONF.DIS TSF Confidential Data may be disclosed to unauthorized persons  T.DOC.ALT User Document Data may be altered by unauthorized persons  T.DOC.DIS User Document Data may be disclosed to unauthorized persons  T.FUNC.ALT User Function Data may be altered by unauthorized persons  T.PROT.ALT TSF Protected Data may be altered by unauthorized persons Four Organisational Security Policies are defined.  P.AUDIT.LOGGING To preserve operational accountability and security, records that provide an audit trail of TOE use and security-relevant events will be created, maintained, and protected from unauthorized disclosure or alteration, and will be reviewed by authorized personnel Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 8 (20)  P.INTERFACE.MANAGEMENT To prevent unauthorized use of the external in- terfaces of the TOE, operation of those interfaces will be controlled by the TOE and its IT environment.  P.SOFTWARE.VERIFICATION To detect corruption of the executable code in the TSF, procedures will exist to self-verify executable code in the TSF.  P.USER.AUTHORIZATION To preserve operational accountability and security, Users will be authorized to use the TOE only as permitted by the TOE Owner. Nine assumptions on the operational environment are defined, none of them are to be characterized as unusual. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 9 (20) 5 Architectural Information The following TOE model is adapted from the Protection Profile, ref. [PP]. The TOE is comprised of the following subsystems: Operating System The Operating System subsystem provides standard operating system services such as file system, process management, timers and memory management. The memory management functionality zeroizes buffers in memory upon deallocation. The Operating System subsystem executes a series of self-tests of the SFP upon each start-up of the system. This subsystem also maintains the system time, which is used to insert timestamps into audit records when they are generated. GUI Manager The GUI Manager subsystem handles all interactions with local users via the touch screen and keypad. This subsystem retrieves (from the Object Store subsystem) and displays the appropriate information on the touch screen and processes input from the touch screen and keypad. When configuration changes are made, the updated infor- mation is sent to the Object Store subsystem to be saved and acted on. User Authentication The User Authentication subsystem handles all validation of user credentials and au- thorizations, whether the validation is performed locally or remotely. When creden- tials or authorization checks are received from the GUI Manager or Web Server sub- systems, User Authentication retrieves information from Object Store to determine if local, remote, or PKI validation should be performed. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 10 (20) Object Store The Object Store subsystem is responsible for managing the storage of configuration parameters, forwarding audit records between the generating subsystem and the Audit subsystem, and forwarding user jobs between the receiving subsystem and the destina- tion subsystem. This subsystem also maintains a list of pending user jobs. Audit The Audit subsystem is responsible for formatting audit information into the standard Syslog format, inserting a timestamp, and forwarding the audit records to the config- ured Syslog server. If NTP is configured, this subsystem also interacts with the con- figured NTP server(s) to maintain the system time. Network Interface The Network Interface subsystem is responsible for all interactions with the Network Interface Card and provides all the processing of network protocol layers that are common to multiple software subsystems (e.g. TCP, IP, IPSec). This subsystem inter- acts with remote IT systems via the network protocols. Since cryptography is required for several of the network protocols to establish trusted channels, this subsystem par- ticipates in key management functions and invokes the Crypto Library subsystem to perform cryptographic operations. All communication with remote IT systems is re- quired to use IPSec. Print The Print subsystem processes received print jobs from the network interface subsys- tem (via the Object Store subsystem). Received network print jobs are queued to be deleted after the print job expiration timeout if they do not contain a PJL SET USERNAME statement. Audit information is generated as jobs are received, indicat- ing the job is created. The user jobs are converted to raster images and queued for printing. The list of user jobs waiting to be printed is communicated to the Object Store subsystem. Audit information is generated as jobs are completed. Web Server The Web Server subsystem is responsible for providing user access to TOE functions from remote IT systems via browser sessions (Remote Management Access (RMA)). This subsystem retrieves (from the Object Store subsystem) and presents the appropri- ate information for display. When configuration changes are made, the updated infor- mation is sent to the Object Store subsystem to be saved and acted on. Crypto Library The Crypto Library subsystem provides cryptographic algorithm support used by other subsystems to perform cryptographic operations. The operations supported include en- cryption, decryption, hashing, message authentication coding, digital signatures and random number generation. Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 11 (20) 6 Documentation The physical scope of the TOE also includes the following guidance documentation:  Lexmark Common Criteria Installation Supplement and Administrator Guide  Lexmark Embedded Web Server Administrator's Guide  Lexmark CS720 Series User's Guide  Lexmark CS820 Series User's Guide  Lexmark C4100 Series User's Guide  Lexmark C6100 Series User's Guide  Dell S5840cdn Laser Printer User's Guide Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 12 (20) 7 IT Product Testing Developer Tests The developer performed manual tests. The developer’s testing covers the security functional behavior of all TSFIs and SFRs as well as the interactions of the subsys- tems. The developer’s testing comprised both firmware and all printer models. Independent Evaluator Tests The evaluator’s independent tests were chosen to complement the developer’s manual tests in covering as much of the security functional behavior of the TSFIs and SFRs. The evaluator repeated developer’s test cases and performed individual and penetra- tion tests. The tests included:  TOE Installation  Identification and Authentication  Access Control and Management  Trusted Channel  Repetition of Developer’s Testing The evaluator used a similar test configuration as the developer consisting of:  TOE: CS720 without Smart Card reader  Workstation: Windows client used to send print jobs to the TOE, open browser sessions to manage the TOE.  Primary Domain Controller: Windows server providing Active Directory, DNS, Kerberos, GSSAPI, and NTP services  Email Server: SMTP server capable of receiving and displaying email from the TOE.  Syslog Server: Capable of receiving and displaying Syslog messages from the TOE  Network Monitor: Used to display and analyse network traffic  IP Network The tests were run manually from the SFP’s touch screen, the Embedded Web Server, and the workstation. The actual results of all test cases were consistent with the ex- pected test results and all tests were judged to pass. Penetration Tests The following types of vulnerability tests were performed:  Port scan  Vulnerability scan  PNG fuzzing  Communication protocol compliance  IPSec scanning Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 13 (20) Port scans were run after installation and configuration had been done according the guidance documentation. The purpose was to check that no unexpected ports were opened unfiltered and no unexpected services available. The Nmap (www.nmap.org) port scan tool was used. Four different modes were used: TCP Connect, TCP SYN, UDP, and IP protocol scans. All possible 65535 ports were scanned for TCP/UDP. A scanning tool for network vulnerabilities were run. No high severity issues were found. A fuzzing tool were used to randomly change the content of a PNG image. The fuzzed images were sent to the SFP for printing. It was verified that all traffic to and from the Primary Domain Controller was using IPSec in ESP mode. It was also verified that no down negotiating to weaker algo- rithms than specified for the trusted channel, [ST] table 18, is possible. The IPSec protocol were scanned using an IKE/IPSec scanning tool to reveal unspeci- fied primitives, key lengths, etc. Search in public sources did not revealed any exploitable or residual vulnerabilities in the TOE including its third party software libraries. All penetration testing had negative outcome, i.e. no vulnerabilities were found Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 14 (20) 8 Evaluated Configuration In the Security Target [ST] section “1.10 Evaluated Configuration” there are 23 stated configuration options that apply to the evaluated configuration of the TOE. These con- figuration options need to be set correctly in order to use the evaluated version. Dependencies to Other Hardware, Firmware and Software The TOE is the firmware of an SFP. The SFP hardware must be one of the models supported for the firmware versions specified for the TOE. To be fully operational, any combination of the following items may be connected to the SFP:  A LAN for network connectivity. The TOE supports IPv4 and IPv6.  IT systems that submit print jobs to the SFP via the network using standard print protocols.  An IT system acting as the remote syslog recipient of audit event records sent from the TOE.  LDAP server to support Identification and Authentication (I&A). This component is optional depending on the type(s) of I&A mechanisms used.  Card reader and cards to support Smart Card authentication using Common Ac- cess Card (CAC) or Personal Identity Verification (PIV) cards. This component is optional depending on the type(s) of I&A mechanisms used. The supported card readers are:  Identive Cloud 2700 F & Identive Cloud 2700 R readers  Omnikey 3121 SmartCard Reader,  Any other Omnikey SmartCard Readers that share the same USB Vendor IDs and Product IDs with the above readers (example Omnikey 3021),  SCM SCR 331,  SCM SCR 3310v2. Excluded from the TOE Evaluated Configuration The following features of the TOE are outside of or not allowed in the evaluated con- figuration.  Support for  Optional network interfaces.  Optional parallel or serial interfaces.  USB ports on the SFPs that perform document processing functions.  Support for AppleTalk.  Other I&A mechanisms than Internal Accounts, LDAP+GSSAPI on a per-user ba- sis, the Backup Password mechanism, and Smart Card authentication.  Other eSF, Java applications, than “eSF Security Manager”, “Smart Card Authen- tication”, “Secure Held Print Jobs”, “Smart Card Authentication Client”, “PIV Smart Card Driver (if PIV cards are used)”, “CAC Smart Card Driver (if CAC cards are used)”, and “Background and Idle Screen”.  Simple Network Management Protocol (SNMP).  Internet Printing Protocol (IPP). Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 15 (20) 9 Results of the Evaluation The verdicts for the assurance classes and components are summarised in the follow- ing table: Assurance Class Name / Assurance Family Name Short name (includ- ing component iden- tifier for assurance families) Verdict Security Target Evaluation ASE PASS ST Introduction ASE_INT.1 PASS Conformance claims ASE_CCL.1 PASS Security Problem Definition ASE_SPD.1 PASS Security objectives ASE_OBJ.2 PASS Extended components definition ASE_ECD.1 PASS Derived security requirements ASE_REQ.2 PASS TOE summary specification ASE_TSS.1 PASS Life-cycle support ALC PASS Authrisation controls ALC_CMC.3 PASS Implementation representation CM Coverage ALC_CMS.3 PASS Delivery procedures ALC_DEL.1 PASS Identification of security measures ALC_DVS.1 PASS Developer defined life-cycle model ALC_LCD.1 PASS Flaw reporting procedures ALC_FLR.2 PASS Development ADV PASS Security Architecure description ADV_ARC.1 PASS Functional specification with complete summary ADV_FSP.3 PASS Architecual design ADV_TDS.2 PASS Guidance documents AGD PASS Operational user guidance AGD_OPE.1 PASS Preparative procedures AGD_PRE.1 PASS Tests ATE PASS Analysis of coverage ATE_COV.2 PASS Testing: Basic design ATE_DPT.1 PASS Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 16 (20) Functional testing ATE_FUN.1 PASS Independent testing - Sampling ATE_IND.2 PASS Vulnerability assessment AVA PASS Vulnerability analysis AVA_VAN.2 PASS Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 17 (20) 10 Evaluator Comments and Recommendations None Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 18 (20) 11 Glossary CAC Common Access Card CEM Common Methodology for Information Technology Security, document describing the methodology used in Common Cri- teria evaluations CM Configuration Management EAL Evaluation Assurance Level ESP Encapsulating Security Payload GSSAPI Generic Security Services Application Program Interface I&A Identification & Authentication IPSec Internet Protocol Security IPv4 Internet Protocol version 4 IPv6 Internet Protocol version 6 ISO International Standards Organization IT Information Technology ITSEF IT Security Evaluation Facility, test laboratory licensed to operate within a evaluation and certification scheme LAN Local Area Network LDAP Lightweight Directory Access Protocol NTP Network Time Protocol OSP Organizational Security Policy PJL Printer Job Language PIV Personal Identity Verification PP Protection Profile RAM Random Access Memory SFP Single Function Printer SMTP Simple Mail Transport Protocol SNMP Simple Network Management Protocol ST Security Target, document containing security requirements and specifications , used as the basis of a TOE evaluation TOE Target of Evaluation TSF TOE Security Function USB Universal Serial Bus Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 19 (20) 12 Bibliography [CCp1] Common Criteria for Information Technology Security Evaluation, Part 1, version 3.1, revision 4, September 2012 CCMB-2012-09-001 [CCp2] Common Criteria for Information Technology Security Evaluation, Part 2, version 3.1, revision 4, September 2012, CCMB-2012-09-002 [CCp3] Common Criteria for Information Technology Security Evaluation, Part 3:, version 3.1, revision 4, September 2012, CCMB-2012-09-003 [CEM] Common Methodology for Information Technology Security Evaluation, version 3.1, revision 4, September 2012, CCMB- 2012-09-004 [ST] Lexmark C4150, C6160, CS720, CS725 and CS820 and Dell S5840 Single Function Printer Security Target , Lexmark International, Inc., 2017-01-16, document version 1.4 [PP] 2600.1, Protection Profile for Hardcopy Devices, Operational Envi- ronment A, dated January 2009, version 1.0 Swedish Certification Body for IT Security Certification Report Lexmark SFP 16FMV3774-43:1 0.0 2017-03-09 CB-015 20 (20) Appendix A Scheme Versions During the certification the following versions of the Swedish Common Criteria Eval- uation and Certification scheme has been used. A.1 Scheme/Quality Management System Version Introduced Impact of changes 1.19 2016-02-05 None 1.19.1 2016-03-07 None 1.19.2 2016-04-28 None 1.19.3 2016-06-02 None 1.20 2016-10-20 None 1.20.1 2017-01-12 None 1.20.2 2017-02-27 None A.2 Scheme Notes Scheme Note 15 - Demonstration of test coverage Scheme Note 18 - Highlighted Requirements on the Security Target In order to ensure consistency in the outcome of the certification, the certifier has ex- amined the changes introduced in each update of the quality management system. The changes between consecutive versions are outlined in “Ändringslista QMS 1.20.1”. The certifier concluded that, from QMS 1.19 to the current QMS 1.21.1, there are no changes with impact on the result of the certification.