After apparently failing several times to get a response from printer manufacturer Brother, security researchers at Trustwave have gone public with details of a vulnerability (CVE-2017-16249) they discovered in certain models of Brother printers that lets an attacker render the devices temporarily unusable.
The attack exploits a flaw in the printer’s embedded Debut httpd server to cause a DoS (Denial of Service) attack, freezing any print jobs and blocking access to the web interface.
All an attacker has to do is send the printer’s web server a single malformed HTTP
POST request and the printer will hang for some time before eventually timing out with a status code of 500, indicating a server error.
At this point, another booby-trapped request will hang up the printer again, and so on.
Any Brother printers that use the Debut-based web interface are apparently vulnerable to this attack.
So while this may sound more like an opportunity for mischief than a stop-the-presses exploit, a remote attacker could use this vulnerability as a stepping stone to something more damaging than an unmoving print queue.
A printer that keeps going wrong can distract a busy IT team, or even serve as a pretext for someone with social engineering skills to talk their way into the organisation to “fix” the problem.
The Trustwave advisory suggests the following:
No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation.
To which Brother added the following, in recent comments made to SC Computing:
We recommend that the printer password feature is always activated. For those with advanced requirements, Brother offers industry standard protocols such as IPsec, SSL, TLS, SNMPv3 and more, which can be enabled to further secure the printing environment … We encourage any customers with questions about their Brother printer security and set up to contact our customer services team for assistance and guidance.
Or, to put all that advice another way, the principle of least privilege applies here, just as it does everywhere else: the only people who should have access to your printer’s web interface, no matter who made it, are the people who need to have that access.