Assurance Continuity - Xerox® AltaLink™ B8045 / B8055 / B8065 / B8075 / B8090
Date of Maintenance Completion: 2019.09.11CC Certificate Validation Report Assurance Activity
Product Type: Multi Function Device
Conformance Claim: Protection Profile Compliant
PP Identifier: Protection Profile for Hardcopy Devices Version 1.0
Original Evaluated TOE: 2019.07.22 - Xerox® AltaLink™ B8045 / B8055 / B8065 / B8075 / B8090
Please note: The above files are for the Original Evaluated TOE. Consequently, they do not refer to this maintained version, although they apply to the maintained version.
Security Target * Assurance Continuity Maintenance Report
Please note: This serves as an addendum to the VR for the Original Evaluated TOE.
* This is the Security Target (ST) associated with the latest Maintenance Release. To view previous STs for this TOE, click here.
Readers are reminded that the certification of this product (TOE) is the result of maintenance, rather than an actual re-evaluation of the product. Maintenance only considers the affect of TOE changes on the assurance baseline (i.e. the original evaluated TOE); maintenance is not intended to provide assurance in regard to the resistance of the TOE to new vulnerabilities or attack methods discovered since the date of the initial certificate. Such assurance can only be gained through re-evaluation.
Using a security impact analysis of the changes made to the TOE, which was provided by the developer, the CCEVS has determined that the impact of changes on the TOE are considered minor and that independent evaluator analysis was not necessary. A summary of the results can be found in the Maintenance Report, which is written in relation to the product's original validation report and Security Target. Readers are therefore reminded to read the Security Target, Validation Report, and the Assurance Maintenance Report to fully understand the meaning of what a maintained certificate represents.
There is a single minor change to the TOE for the Assurance Maintenance. A software patch has been issued for the TOE software to correct a minor bug. The bug fix is related to correcting a Toner Cartridge warning issue. This change does not have any security relevant impact. It was accomplished by adding a single patch, 355487v2.dlm, to the software/firmware.
Description of ALC Changes:
Changes to the Security Target revision were made, going from version 0.6 to 0.7 with the addition of patch 355487v2.dlm. No other documentation was affected.
Assurance Continuity Maintenance Report:
· DXC.technology submitted an Impact Analysis Report (IAR) on behalf of Xerox for the Xerox Multi-Factor Device Security Target Xerox® AltaLink™ B8045 / B8055 / B8065 / B8075 / B8090.
· This Impact Analysis Report (IAR) documents the analysis of a certificate update. A software patch has been issued for the TOE software to correct a minor bug. The bug fix is related to correcting a Toner Cartridge warning issue. This change does not have any security relevant impact. The IAR concludes that all changes to the TOE are minor and the overall impact to the TOE is minor.
· A patch was created, patch IOT 2.2.24 for Snowdon ATL1.5 (D4.0 launch through R19-02) and D3.7 launch IOT 2.1.20 to deliver an IOT fix. It has no impact on the TSF.
· The patch fixed an issue in the Snowdon RFID Toner bottle read code that can lead to early End-of-Life and Toner Cartridge low faults getting thrown, which can cause toner bottles to be changed before they need to be.
· This problem does not involve or affect the TOE Security Functions.
· The Protection Profile is unchanged since the prior certification. No Technical Decisions have been released since the original posting of the PCL. No changes have been made to the hardware of the TOE models; the model names and manufacturing numbers remain the same. A software patch has been added to correct a minor issue related to the toner cartridges; this change does not affect the TOE Assurance Activity Coverage. The Assurance Activity coverage is Unchanged.
Description of Regression Testing:
Xerox tested that the patch works but performed no special regression testing for the RFID patch as it was not related to any software features that would have been tested as part of the CC assurance activities. The change is not security relevant and does not affect the assurance coverage.
A new vulnerability search was conducted on August 20, 2019 with no new vulnerabilities found. The same searches conducted during the original validation were repeated using the same search terms: Xerox, B8045, B8055, B8065, B8075, B8090. Searched were conducted at http://www.securityfocus.com/bid, http://www.kb.cert.org/vuls/, and https://nvd.nist.gov/vuln/search/results?adv_search=false&form_type=basic&results_type=overview&search_type=all&query=xerox.
There is one minor change to the TOE, a software patch has been added to correct an issue related to the Toner cartridges. This change does not affect the security function of the TOE. The ST has been updated only to identify the software patch. All other documentation provided for the original certification have not been changed. The assurance baseline is assessed as minor within the allowance of the Assurance Continuity framework. It is the conclusion of this report that assurance has been maintained in the changed TOE.