Photo credit: www.darkreading.com
A common Xerox multifunction printer has been identified as having two significant vulnerabilities in its firmware, which have since been patched, but the risks they posed allowed potential intruders complete access to an organization’s Windows network environment.
The affected devices include the Xerox VersaLink C7025, with vulnerabilities found in firmware versions 57.69.91 and earlier. These vulnerabilities facilitate what are termed pass-back attacks, which allow malicious actors to intercept user credentials by altering the configuration of the multifunction printers (MFPs).
Complete Access to Windows Environments
According to cybersecurity researchers at Rapid7, exploitation of the vulnerabilities in question could permit attackers to gain access to Windows Active Directory credentials. This would enable them to navigate laterally within an organization’s network and affect other critical Windows servers and resources. As highlighted by Deral Heiland, a principal security researcher at Rapid7, the implications of such a breach are extensive.
Xerox characterizes the VersaLink C7025 as a multifunction printer integrated with ConnectKey technology, allowing users seamless interaction via cloud and mobile devices. This technology encompasses various security measures designed to fend off attacks, detect unauthorized changes to the printer, and safeguard sensitive data. The VersaLink series is promoted for small to medium-sized workgroups with monthly print volumes around 7,000 pages.
The two vulnerabilities identified by Rapid7, which Xerox has subsequently resolved, include CVE-2024-12510, an LDAP pass-back vulnerability with a CVSS score of 6.7, and CVE-2024-12511, an SMB/FTP pass-back vulnerability carrying a CVSS score of 7.6.
Rapid7 reports that these vulnerabilities enable an attacker to alter the MFP’s configuration, tricking it into relaying user authentication data to an adversary’s system, specifically when the printer is set up for LDAP and/or SMB services.
For instance, CVE-2024-12510 allows an attacker to manipulate the printer’s LDAP settings, replacing the legitimate LDAP server’s IP address with a malicious one of their choosing. Consequently, when the printer attempts to validate user credentials, it unwittingly connects to the attacker’s fraudulent LDAP server, thus allowing for the capture of plaintext LDAP credentials, as noted by Heiland.
Similarly, CVE-2024-12511 permits credential capture for SMB or FTP services when these options are activated on a vulnerable Xerox VersaLink C7025. If an attacker holds administrative access, they can reroute the IP for these services to their own server, thus intercepting SMB or FTP credentials.
Heiland explains that discovering a vulnerable printer can be as straightforward as accessing the affected Xerox MFP via a web browser, checking if the default password remains active, and confirming that LDAP and/or SMB services are configured. Additionally, attackers may utilize SNMP queries to ascertain the presence of LDAP services.
The potential for significant risk arises if cybercriminals gain access to a corporate network, as the pass-back attack mechanism could enable them to harvest Active Directory credentials undetected. This could afford them access to crucial Windows systems and data. Alarmingly, Heiland indicates that some printers may have LDAP settings exposing Domain Admin credentials, which could grant them total control over the organization’s environment.
According to Heiland, successful exploitation of LDAP and SMB settings typically leads to extensive access, allowing attackers to infiltrate file services, domain data, email systems, and databases. If compromised accounts with elevated privileges, such as those of Domain Admins, are involved, the ramifications for the organization could be dire.
An Ideal Scenario for Threat Actors
Jim Routh, chief trust officer at Saviynt, remarks that while exploiting these vulnerabilities requires a fair amount of technical expertise, success in doing so opens the door to Windows Active Directory, which harbors all administrator profiles. He points out that with each internet-connected device comes a set of configuration options, creating an attack surface susceptible to exploitation.
Xerox has released a patch for the affected printer firmware, enabling organizations to rectify these security flaws. For those unable to implement the patch immediately, Rapid7 advises establishing a complex admin account password and steering clear of using high-privilege Windows authentication accounts for LDAP or SMB functions. It is also recommended not to enable remote-control access for unauthenticated users.
Printer vulnerabilities are becoming an increasingly pressing concern for organizations, particularly with the emergence of remote and hybrid work environments. A recent study by Quocirca revealed that 67% of organizations reported dealing with a security incident related to printer vulnerabilities, a notable increase from 61% in the previous year. Despite this upward trend, many businesses continue to underestimate the threats posed by printer vulnerabilities, leaving them vulnerable to attacks.
Source
www.darkreading.com