A preferred small to midrange Xerox enterprise printer accommodates two now-patched vulnerabilities in its firmware that enable attackers a chance to achieve full entry to a corporation’s Home windows setting.
The vulnerabilities have an effect on firmware model 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Each flaws allow what are often known as pass-back assaults, a category of assaults that primarily enable a foul actor to seize consumer credentials by manipulating the MFPs’ configuration.
Full Entry to Home windows Environments
In sure conditions, a malicious actor who efficiently exploits the Xerox printer vulnerabilities would be capable of seize credentials for Home windows Lively Listing, in line with researchers at Rapid7 who found the issues. “This implies they may then transfer laterally inside a corporation’s setting and compromise different essential Home windows servers and file methods,” Deral Heiland, principal safety researcher, IoT, for Rapid7 wrote in a current weblog publish.
Xerox describes VersaLink C7025 as a multifunction printer that includes ConnectKey, a Xerox know-how that enables clients to work together with the printers over the cloud and by way of cell gadgets. Amongst different issues, the know-how contains safety features that, in line with Xerox, assist stop assaults, detect probably malicious adjustments to the printer, and defend towards unauthorized transmission of essential information. Xerox has positioned its VersaLink household of printers as ultimate for small and medium-sized workgroups that print round 7,000 pages monthly.
The 2 vulnerabilities that Rapid7 found within the printer, and which Xerox has since fastened, are CVE-2024-12510 (CVSS rating: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS rating: 7.6) an SMB/FTP pass-back vulnerability.
The vulnerabilities, in line with Rapid7, enable an attacker to alter the MFP’s configuration in order to trigger the printer to ship a consumer’s authentication credentials to an attacker-controlled system. The assault would work if a susceptible Xerox VersaLink C7025 printer is configured for LDAP and/or SMB companies.
In such a state of affairs, CVE-2024-12510 would enable an attacker to entry the MFP’s LDAP configuration web page and alter the LDAP server IP handle within the printer’s settings to level to their very own malicious LDAP server. When the printer subsequent tries to authenticate customers by checking the LDAP Consumer Mappings web page, it connects to the attacker’s pretend LDAP server as a substitute of the authentic company LDAP server. This paves the way in which for the attacker to seize clear textual content LDAP service credentials, Heiland wrote.
CVE-2024-12511 permits comparable credential seize when the SMB or FTP scan operate is enabled on a susceptible Xerox VersaLink C7025 printer. An attacker with admin-level entry can modify the SMB or FTP server’s IP handle to their very own malicious IP and seize SMM or FTP authentication credentials.
All it takes for an attacker to find a susceptible printer is to hook up with an affected Xerox MFP gadget via a Net browser, validate that the default password continues to be enabled, and be certain that the gadget is configured for LDAP and/or SMB companies, Heiland tells Darkish Studying. “Additionally, it’s typically doable to question an MFP by way of SNMP and establish if LDAP companies are enabled and configured.”
The danger for organizations is that if a malicious actor have been to achieve any stage of entry to a enterprise community, they may use the pass-back assault to simply harvest Lively Listing credentials with out being detected, he says. That may then enable them to pivot to extra essential Home windows methods inside a compromised setting. “Sadly,” he provides, “it is also not unusual to search out LDAP settings on MFP gadgets that comprise Area Admin credentials,” which probably may give a foul actor full management of a corporation’s Home windows setting.
“Since LDAP and SMB settings on MFP gadgets sometimes comprise Home windows Lively Listing credentials, a profitable assault would give a malicious actor entry to Home windows file companies, area data, e mail accounts, and database methods,” Heiland says. “If a Area Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered entry to probably all the things throughout the group’s Home windows setting.”
An Splendid Situation for Menace Actors
Jim Routh, chief belief officer at Saviynt, says an attacker would want comparatively subtle technical expertise to use these sorts of vulnerabilities. However for many who can, the LDAP vulnerability permits entry to Home windows Lively Listing the place all administrator profiles and credentials reside. “It is the perfect state of affairs for the menace actor,” he notes. Each gadget related to the Web has configuration choices that supply … an assault floor for the cybercriminal.”
Xerox has launched a patched model of the affected Xerox VersaLink MFP firmware, permitting buyer organizations to replace and repair the problems. Organizations that can’t instantly patch ought to set a “complicated password for the admin account and likewise keep away from utilizing Home windows authentication accounts which have elevated privileges, similar to a Area Admin account for LDAP or scan-to-file SMB companies,” in line with the Rapid7 weblog publish. “Additionally, organizations ought to keep away from enabling the remote-control console for unauthenticated customers.”
Printer vulnerabilities are a rising drawback for a lot of organizations due to the rise in distant and hybrid work fashions. A 2024 research by Quocirca discovered 67% of organizations had skilled a safety incident tied to a printer vulnerability, up from 61% the prior 12 months. Regardless of the development, many organizations proceed to underestimate printer-related threats, making it a tender spot for attackers to focus on.