A preferred small to midrange Xerox enterprise printer comprises two now-patched vulnerabilities in its firmware that permit attackers a possibility to realize full entry to a company’s Home windows setting.
The vulnerabilities have an effect on firmware model 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Each flaws allow what are referred to as pass-back assaults, a category of assaults that primarily permit a foul actor to seize consumer credentials by manipulating the MFPs’ configuration.
Full Entry to Home windows Environments
In sure conditions, a malicious actor who efficiently exploits the Xerox printer vulnerabilities would be capable of seize credentials for Home windows Energetic Listing, in accordance with researchers at Rapid7 who found the issues. “This implies they might then transfer laterally inside a company’s setting and compromise different vital Home windows servers and file programs,” Deral Heiland, principal safety researcher, IoT, for Rapid7 wrote in a latest weblog put up.
Xerox describes VersaLink C7025 as a multifunction printer that includes ConnectKey, a Xerox expertise that permits prospects to work together with the printers over the cloud and by way of cellular units. Amongst different issues, the expertise consists of safety features that, in accordance with Xerox, assist stop assaults, detect doubtlessly malicious modifications to the printer, and defend towards unauthorized transmission of vital knowledge. Xerox has positioned its VersaLink household of printers as ideally suited for small and medium-sized workgroups that print round 7,000 pages per thirty days.
The 2 vulnerabilities that Rapid7 found within the printer, and which Xerox has since fastened, are CVE-2024-12510 (CVSS rating: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS rating: 7.6) an SMB/FTP pass-back vulnerability.
The vulnerabilities, in accordance with Rapid7, permit an attacker to vary the MFP’s configuration in order to trigger the printer to ship a consumer’s authentication credentials to an attacker-controlled system. The assault would work if a weak Xerox VersaLink C7025 printer is configured for LDAP and/or SMB providers.
In such a state of affairs, CVE-2024-12510 would permit an attacker to entry the MFP’s LDAP configuration web page and alter the LDAP server IP handle within the printer’s settings to level to their very own malicious LDAP server. When the printer subsequent tries to authenticate customers by checking the LDAP Person Mappings web page, it connects to the attacker’s faux LDAP server as a substitute of the official company LDAP server. This paves the best way for the attacker to seize clear textual content LDAP service credentials, Heiland wrote.
CVE-2024-12511 permits related credential seize when the SMB or FTP scan operate is enabled on a weak Xerox VersaLink C7025 printer. An attacker with admin-level entry can modify the SMB or FTP server’s IP handle to their very own malicious IP and seize SMM or FTP authentication credentials.
All it takes for an attacker to find a weak printer is to connect with an affected Xerox MFP machine via a Net browser, validate that the default password remains to be enabled, and make sure that the machine is configured for LDAP and/or SMB providers, Heiland tells Darkish Studying. “Additionally, it’s usually doable to question an MFP by way of SNMP and determine if LDAP providers are enabled and configured.”
The danger for organizations is that if a malicious actor had been to realize any stage of entry to a enterprise community, they might use the pass-back assault to simply harvest Energetic Listing credentials with out being detected, he says. That might then permit them to pivot to extra vital Home windows programs inside a compromised setting. “Sadly,” he provides, “it is also not unusual to search out LDAP settings on MFP units that comprise Area Admin credentials,” which doubtlessly might give a foul actor full management of a company’s Home windows setting.
“Since LDAP and SMB settings on MFP units sometimes comprise Home windows Energetic Listing credentials, a profitable assault would give a malicious actor entry to Home windows file providers, area info, electronic mail accounts, and database programs,” Heiland says. “If a Area Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered entry to doubtlessly every thing inside the group’s Home windows setting.”
An Preferrred Situation for Menace Actors
Jim Routh, chief belief officer at Saviynt, says an attacker would wish comparatively subtle technical abilities to use these sorts of vulnerabilities. However for individuals who can, the LDAP vulnerability allows entry to Home windows Energetic Listing the place all administrator profiles and credentials reside. “It is the perfect state of affairs for the risk actor,” he notes. Each machine linked to the Web has configuration choices that supply … an assault floor for the cybercriminal.”
Xerox has launched a patched model of the affected Xerox VersaLink MFP firmware, permitting buyer organizations to replace and repair the problems. Organizations that can’t instantly patch ought to set a “advanced password for the admin account and in addition keep away from utilizing Home windows authentication accounts which have elevated privileges, equivalent to a Area Admin account for LDAP or scan-to-file SMB providers,” in accordance with the Rapid7 weblog put up. “Additionally, organizations ought to keep away from enabling the remote-control console for unauthenticated customers.”
Printer vulnerabilities are a rising drawback for a lot of organizations due to the rise in distant and hybrid work fashions. A 2024 examine by Quocirca discovered 67% of organizations had skilled a safety incident tied to a printer vulnerability, up from 61% the prior 12 months. Regardless of the development, many organizations proceed to underestimate printer-related threats, making it a gentle spot for attackers to focus on.
