Flaws in Xerox VersaLink MFPs Spotlight Printer Security Concerns – Source: securityboulevard.com

Security flaws found in Xerox VersaLink C7025 multifunction printers (MFPs) could allow attackers to grab authentication credentials, which would pave the way for them to move laterally through an organization’s IT environment and compromise other Microsoft Windows systems.

The two vulnerabilities uncovered by a researcher at cybersecurity firm Rapid7 highlight the continued threat Internet of Things (IoT) devices can present to enterprises and SMBs and put a particular focus on the often-overlooked risks associated with connected printers and copiers.

“IT teams today manage huge ecosystems of devices and networks, and it’s not uncommon for printers to slip through the cracks when it comes to security defenses,” managed mobility services company Stratix wrote. “When you add the complexity of frontline workers using wireless mobile printers in the field, there are even more vulnerabilities.”

Xerox’s Versalink C7025 is an all-in-one enterprise color printer with multiple capabilities, from printing and copying to scanning, faxing, and emailing. Deral Heiland, principal IoT researcher at Rapid7, detected the vulnerabilities – tracked as CVE-2024-12510 and CVE-2024-12511 – last year, noting that if exploited, hackers could capture the authentication credentials through pass-back attacks that target Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB) and File Transfer Protocol (FTP) services.

Pass-Back Attacks

In a pass-back attack, the bad actor is able to change the MFP’s configuration, causing the printer to send authentication credentials to a server controlled by the attacker. If a hacker gets access to the LDAP configuration and page the LDAP services are configured for authentication, they can reconfigure the service’s IP address and trigger a LDAP lookup, Heiland wrote in a report. This would force the printer to authenticate against a system controlled by the threat actor rather than an enterprise’s server.

In addition, they can target a SMB or FTP server’s IP address and point it to a host they control, which could trigger a scan to file and capture the server’s SMB or FTP authentication credentials. To do this, the attacker needs the scan function to be configured within the user’s address book and physical access to the printer console or to a remote-control console through the web interface.

“If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory,” Heiland wrote. “This means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems.”

Patches Now Available

Rapid7 alerted Xerox to the vulnerabilities in March 2024 and the printer company made patches available earlier this year.

“If patching the MFP devices cannot be done at this time, it is highly recommended to set a complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a domain admin account for LDAP or scan-to-file SMB services,” Heiland wrote. “Also, organizations should avoid enabling the remote-control console for unauthenticated users.”

Printers and Security

As MFPs like the Versalink systems expand their uses within an enterprise, they become larger security concerns.

Analysts with market research firm Quocirca in 2023 found that while organizations are putting more print security practices in place, their faith in such measures is dropping. Of 507 IT decision-makers surveyed that year, only 19% said they were completely confident that their print infrastructure was protected.

In addition, 61% said their companies lost data due to unsecured printing – a figure that jumped to 67% last year – and 39% said it was increasingly difficult to keep up with print security demands.

That said, they’re attractive targets for bad actors. They are increasingly connected to networks, have internal storage that hold data related to print jobs, scanned documents, and faxes, and – being located in central office areas – can be accessed physically.

They also tend to have weak cybersecurity, such as default passwords, unsecured network connections, outdated firmware, and remote access, according to a Sharp Business blog last month.

“The security landscape is vulnerable,” the company wrote. “Cybercriminals know MFPs are often overlooked and use them as a gateway to your network and confidential data. … With cybercriminals and malicious hackers constantly seeking vulnerabilities to exploit, it is necessary to understand the conventional attack methods they employ and implement robust security measures to mitigate these risks.”