Networked consumer and business printers manufactured and sold by Brother contain an unpatched vulnerability that can be abused by a remote attacker to cause a denial-of-service condition on the device.
Researchers at Trustwave’s SpiderLabs on Monday disclosed the issue after numerous fruitless attempts to contact Brother, including a live chat with a support person on Oct. 3, close to a month after the initial disclosure. A request for comment by Threatpost went unanswered prior to publication.
The vulnerability affects all Brother printers with the Debut embedded webserver, Trustwave said, and can be exploited with a single malformed request to the printer. Karl Sigler, threat intelligence manager at Trustwave, said the Debut web front end could be 15 years old and versions 1.20 and earlier are affected.
“From a network perspective, [an attack will] look like regular HTTP traffic hitting the printer. The attack is only sending a single request every few minutes to accomplish the DoS,” Sigler told Threatpost. “If the printer is internet accessible, that’s all an attacker would need. Otherwise, an attacker would need to gain access to the target’s network (social engineering comes to mind).”
Sigler said there are 14,989 affected devices available online, according to a Shodan search conducted by Trustwave, a small percentage of Brother printers.
“An attacker would need to be on the same network in most cases,” Sigler conceded.
An attack would be executed by sending a malformed HTTP POST request to the printer; an attacker would receive a generic 500 server error code in response indicating the server was inaccessible and unable to print.
“Unfortunately, despite multiple attempts to contact Brother about this issue, no patch appears to be pending. In order to mitigate this issue, admins are left to their own devices,” Trustwave said in a statement. “Strict access control is in order here and using a firewall or similar device to restrict web access to only those admins that need it will help to mitigate the threat here. Unfortunately, poor access control is all too common.”
In the meantime, it would appear the issue will go unpatched. Sigler said it’s likely that even if an update were produced by Brother, it would have to be manually deployed. This is an all-too-common scenario with other connected devices that lack an automated mechanism for security and feature updates. Attackers have been all too happy to exploit this issue, in other instances such as Mirai, to carry out crippled distributed denial of service attacks.
“Some people dismiss denial of service attacks as a mere nuisance, but they can tie up resources and reduce productivity at any organization. They can also be used as a part of an in-person attack on an organization,” Trustwave said. “For instance, an attacker can launch a denial of service like this one and then show up at the organization as the ‘technician’ called to fix the problem. Impersonating a technician would allow the attacker direct physical access to IT resources that they might never have been able to access remotely.”