LAS VEGAS — At least 35 significant vulnerabilities in six commonly used enterprise printers have been uncovered, manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother.
The bugs will be presented by NCC Group at a DEF CON session entitled “Why You Should Fear Your Mundane Office Equipment” on Saturday. They vary in severity but the potential impact ranges from denial-of-service attacks that could cause the printers to crash, spying on every print job sent and sending print jobs through to unauthorized parties. One of the printers made by HP for instance was affected by multiple overflow vulnerabilities in the Internet Printing Protocol (IPP) service, allowing a potential attacker to effect a denial-of-service (DoS) attack and potentially execute arbitrary code on the device.
“This is a problem, given that enterprise printers are often used to manage, print or process sensitive information in one way or another,” the firm said in. “They may seem mundane, but they are connected to just about every device in some organisations, representing a crucial part of the enterprise network that should be secured as much as PCs, shared servers and data storage devices.”
There’s also the possibility of installing backdoors to maintain a hidden presence on the network, according to research shared with Threatpost ahead of the session. That’s an attractive proposition for a hacker, given that backdoors usually must be planted on more hardened attack surface, such as computer servers, desktops or laptops.
“The issue here is that such endpoints often have AV or other threat detection techniques and may detect and remove the backdoor access,” according to the research. “This research has shown the feasibility of using printers for backdoor access, instead of computers. In many situations it would be possible to penetrate a network and install backdoor access on the printers; most printers typically lack any type of AV and most organizations probably don’t monitor the logs of printers, meaning that they offer a great place for long-term backdoor access into a network.”
In terms of the technical details, the HP Color LastJet Pro MFP M281fdw is afflicted by multiple buffer overflows in IPP Service (CVE-2019-6327); a buffer overflow in Web Server (CVE-2019-6326); multiple cross-site scripting (XSS) vulnerabilities (CVE-2019-6323, CVE-2019-6324); and a cross-site request forgery (CSRF) countermeasures bypass (CVE-2019-6325).
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers. These include a Simple Network Management Protocol (SNMP) DoS vulnerability (CVE-2019-9931); multiple overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933); information disclosure vulnerabilities (CVE-2019-9934, CVE-2019-9935, CVE-2019-10059); a lack of (CSRF) countermeasures (CVE-2019-10057); and no account lockout implemented (CVE-2019-10058).
All of the vulnerabilities discovered have either been patched, or will be, so system administrators are advised to update all vulnerable printers with the latest firmware, and monitor further updates.
“Because printers have been around for so long, they’re not seen as enterprise IoT devices—but they’re embedded in corporate networks and therefore pose a significant risk,” said Matt Lewis, research director at NCC Group, in a statement. “Building security into the development lifecycle would mitigate most if not all of these vulnerabilities. It’s very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides and regularly updating firmware.”
Printer problems are not uncommon; last year at DEF CON research showed that tens of millions of fax-ready HP OfficeJet inkjet printers were vulnerable to a simple hack that gave an attacker full control over a targeted printer.
Black Hat USA 2019 has kicked off this week in Las Vegas. For more Threatpost breaking news, stories and videos from Black Hat and DEF CON, click here.