There are many ways to compromise company data, but IT teams often overlook one of the most serious: the humble printer. It sits in the corner, happily humming away as it churns out sensitive company documents, but it’s a small computer with the ability to spit out hard copy. These things have an increasingly large attack surface and are often connected to the internet, awaiting remote commands.
Researchers at security company NCC Group took a closer look at printer security and discovered serious flaws in six popular printer brands that could allow attackers to take over accounts or comb through company documents. The opportunities for printer pwnage are many and varied – the researchers found several classes of bugs that recurred across many of these devices.
Buffer overflows were a common problem – especially critical because they could allow for remote code execution (RCE). These flaws would often show up in the printers’ Internet Printing Protocol (IPP) service, which lets clients submit and query print jobs. IPP is an IP-based protocol that can run locally or over the internet. They were also often common in the Line Printer Daemon (LPD) protocol, an older service also used to accept and control print jobs remotely. A maliciously crafted network packet is often enough to take control.
Another serious bug was the lack of an account lockout, enabling attackers to figure out local account credentials by brute-forcing the device, which is where you automatically try password after password until you get lucky. Lexmark, Ricoh, and Xerox printers contained this flaw.
Some Brother printers had a critical heap overflow bug in their IPP implementation, and a stack buffer overflow flaw in their cookie-handling code. Both of these were RCE bugs. NCC Group found multiple vulnerabilities in several HP printers, including cross-site scripting and buffer overflow flaws.
Kyocera printers had buffer overflows in their web servers, IPP services, and LPD services, along with a critical broken access control bug allowing unauthorised access to printer configuration settings, including user details and some passwords.
The printers also had several other less severe bugs, including XSS and CSRF flaws, and a path traversal vulnerability that allowed attackers to check for the existence of files on the printer and then retrieve them.
The researchers found six classes of vulnerability across dozens of Lexmark printer models. The most serious was a set of overflow bugs that allowed specially crafted requests to the printer’s web server to execute arbitrary code on the system, closely followed by the account lockout flaw.
The rest of the Lexmark bugs ranged from a denial of service vulnerability in SNMP, through information disclosure bugs and XSS flaws. The information disclosure bugs could leak sensitive operational and configuration data to an unauthenticated user, they warned.
Four Ricoh printers shared several bugs, including critical buffer overflows in the IPP service, the HTTP cookie header and parameter parsing, and LPD service. An information disclosure bug led to the disclosure of operating system memory.
Ricoh devices also featured several flaws unique to that brand in the NCC Group tests. Their design exposed a hardware serial connector to attackers with physical access to the machines, which could give them full control of the printers. The company also hardcoded FTP credentials into some of its printers’ firmware, allowing attackers to read information on the device’s FTP folders.
Xerox printers suffered from critical buffer overflows in their implementations of Google Cloud Print and IPP, and in their web servers. These could all lead to remote code execution or denial of service attacks. They also exhibited XSS and CSRF bugs.
The vendors have all patched these vulnerabilities so make sure you have the latest updates. This news highlights the importance of auditing and hardening this part of your IT ecosystem. When was the last time you patched your printer firmware and checked its configuration?
4 comments on “Serious flaws in six printer brands discovered, fixed”
Headline says six brands but only five are named.
In the text I counted six brand names. In order of appearance: Brother, HP, Kyocera, Lexmark, Ricoh, Xerox.
Interestingly, Canon appears to be missing from this article. I wonder why they were excluded as I believe they reasonably popular in the corporate space and may have the same vulnerabilities. Perhaps just not available to the researchers?
The ultimate conclusion of the article is, “Don’t forget your printers,” regardless of vendor.
I guess the researchers had to draw a line somewhere, so the mention of six specific brands should not be taken to mean that those brands are being called out as worse than all the rest, or that if you have any other brand you’ll never need to update!
The bad thing for the brands mentioned is that they happened to be the ones tested and thus got named as having bugs; the good news is that every vendor responded by patching and thus showed that they will do the right thing when researchers find problems.