Lexmark Printers Open to Arbitrary Code-Execution Zero-Day

“No remedy available as of June 21, 2021,” according to the researcher who discovered the easy-to-exploit, no-user-action-required bug.

Lexmark printers – those ubiquitous, inky office workhorses that fill homes and offices, and are found all the way on up to the federal government – have an unpatched vulnerability that could lead to serious, easy-to-execute attacks that require neither privileges nor user interaction and which can lead to arbitrary code execution.

According to an advisory filed by researcher Julio Aviña on the IBM X-Force Exchange, the flaw could lead to a low-complexity attack that could allow a local attacker to execute arbitrary code. The vulnerability’s CVSS 3.0 base score is high, at 8.4. Fortunately, it doesn’t appear to have been exploited yet: The report lists the bug’s exploitability as “unproven.”

The bug, found in the Lexmark Printer Software G2 Installation Package, is caused by an unquoted service-path vulnerability in the “LM__bdsvc” service. That package allows an administrator to customize the users’ installation experience, according to Lexmark.

The installation package in question runs on Microsoft Windows operating systems Vista (32-bit/64-bit), Server 2008 (32-bit/64-bit), Windows 7 (32-bit/64-bit), Server 2008 R2 (64-bit), Windows 8.1 (32-bit/64-bit), Windows 10 Client (32-bit/64-bit), Windows Server 2012, Server 2012 (64-bit) R2, Server 2016 (64-bit) and Server 2019 (64-bit) print and scan drivers with an enhanced GUI.

“By placing a specially crafted file, an attacker could exploit this vulnerability to execute arbitrary code on the system,” the advisory explained. According to ProcessChecker, a service that shows information about running processes, LM__bdsvc.exe is part of the printer communication system.

As of Tuesday, there was no patch or other workaround available, Aviña wrote: “No remedy available as of June 21, 2021.”

The advisory states that a successful attempt to exploit the bug requires the attacker “to insert an executable file into the service path undetected by the OS or some security application.” When the service or the system restarts, that executable will run with elevated privileges.

Lexmark told Threatpost on Tuesday that a fix is in the works. Lexmark CSO Bryan Willett said in an emailed statement that “Lexmark takes security very seriously. We are aware of this concern and are working to address the vulnerability. We welcome security researchers to report vulnerabilities directly at Lexmark Security Advisories.”

How to Fall Asleep on Your Lexmark Printer

Beyond known security vulnerabilities, Lexmark printers have in the past been prone to a trivial hack thanks to what researchers have called “gross negligence” on the part of users. In 2017, researchers at NewSky Security warned that they had found hundreds of Lexmark printers misconfigured, open to the public internet and easily accessible to anyone interested in taking control of targeted devices.

Researchers identified 1,123 Lexmark printers traced back to businesses, universities and, in some cases, U.S. government offices. Adversaries with access to those printers could perform a number of malicious actions: The fact that they were open to the internet enabled attackers to add a backdoor, to capture print jobs, to knock a printer offline, to print junk content or to physically disrupt a printer’s operation.

U.S. Government Loves Security Bug-Ridden Lexmarks

Besides Lexmark users’ negligence, U.S. government use of Lexmark printers pockmarked with security vulnerabilities has been rife. A federal audit published in July 2019 found that the U.S. Army and Air Force used government purchase cards to spend at least $32.8 million in fiscal year 2018 on commercial off-the-shelf IT products with “known cybersecurity vulnerabilities.”

Lexmark printers were among them, according to the Inspector General of the Department of Defense (DoD). In fact, the lion’s share of that money – more than $30 million – was spent on 8,000 Lexmark printers. At the time, according to the audit, the National Vulnerabilities Database (NVD) listed 20 cybersecurity vulnerabilities in Lexmark printers, including storing and transmitting sensitive network access credentials in plain text and allowing the execution of malicious code on the printer. According to the report, the vulnerabilities could have allowed remote attackers to use a connected Lexmark printer “to conduct cyberespionage” or to launch a denial-of-service (DoS) attack on a DoD network.

How Worried Should We Be?

Andrew Barratt, managing principal of solutions and investigations at cybersecurity advisory provider Coalfire, told Threatpost that there’s “nothing new about this kind of vulnerability,” given that they are, unfortunately, “very common.”

Successful execution requires an intruder to have access to the underlying host system, Barratt said via email on Tuesday, so it’s “more of an attack vector for potential lateral movement and privilege escalation.” He noted that the bug could be used potentially by a malicious insider looking to circumvent permissions on a corporate computer, for example.

062221 14:06 UPDATE: corrected reference to “remote” code execution, which should have read “arbitrary” code execution.

Join Threatpost for “Tips and Tactics for Better Threat Hunting” — a LIVE event on Wed., June 30 at 2:00 PM ET in partnership with Palo Alto Networks. Learn from Palo Alto’s Unit 42 experts the best way to hunt down threats and how to use automation to help. Register HERE for free.

Suggested articles