There are many ways to compromise company data, but IT teams often overlook one of the most serious: the humble printer. It sits in the corner, happily humming away as it churns out sensitive company documents, but it’s a small computer with the ability to spit out hard copy. These things have an increasingly large attack surface and are often connected to the internet, awaiting remote commands.
Researchers at security company NCC Group took a closer look at printer security and discovered serious flaws in six popular printer brands that could allow attackers to take over accounts or comb through company documents. The opportunities for printer pwnage are many and varied – the researchers found several classes of bugs that recurred across many of these devices.
Buffer overflows were a common problem – especially critical because they could allow for remote code execution (RCE). These flaws would often show up in the printers’ Internet Printing Protocol (IPP) service, which lets clients submit and query print jobs. IPP is an IP-based protocol that can run locally or over the internet. They were also often common in the Line Printer Daemon (LPD) protocol, an older service also used to accept and control print jobs remotely. A maliciously crafted network packet is often enough to take control.
Another serious bug was the lack of an account lockout, enabling attackers to figure out local account credentials by brute-forcing the device, which is where you automatically try password after password until you get lucky. Lexmark, Ricoh, and Xerox printers contained this flaw.
Some Brother printers had a critical heap overflow bug in their IPP implementation, and a stack buffer overflow flaw in their cookie-handling code. Both of these were RCE bugs. NCC Group found multiple vulnerabilities in several HP printers, including cross-site scripting and buffer overflow flaws.
Kyocera printers had buffer overflows in their web servers, IPP services, and LPD services, along with a critical broken access control bug allowing unauthorised access to printer configuration settings, including user details and some passwords.
The printers also had several other less severe bugs, including XSS and CSRF flaws, and a path traversal vulnerability that allowed attackers to check for the existence of files on the printer and then retrieve them.
The researchers found six classes of vulnerability across dozens of Lexmark printer models. The most serious was a set of overflow bugs that allowed specially crafted requests to the printer’s web server to execute arbitrary code on the system, closely followed by the account lockout flaw.
The rest of the Lexmark bugs ranged from a denial of service vulnerability in SNMP, through information disclosure bugs and XSS flaws. The information disclosure bugs could leak sensitive operational and configuration data to an unauthenticated user, they warned.
Four Ricoh printers shared several bugs, including critical buffer overflows in the IPP service, the HTTP cookie header and parameter parsing, and LPD service. An information disclosure bug led to the disclosure of operating system memory.
Ricoh devices also featured several flaws unique to that brand in the NCC Group tests. Their design exposed a hardware serial connector to attackers with physical access to the machines, which could give them full control of the printers. The company also hardcoded FTP credentials into some of its printers’ firmware, allowing attackers to read information on the device’s FTP folders.
Xerox printers suffered from critical buffer overflows in their implementations of Google Cloud Print and IPP, and in their web servers. These could all lead to remote code execution or denial of service attacks. They also exhibited XSS and CSRF bugs.
The vendors have all patched these vulnerabilities so make sure you have the latest updates. This news highlights the importance of auditing and hardening this part of your IT ecosystem. When was the last time you patched your printer firmware and checked its configuration?