Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers

Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.

Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.

The security defect – now tracked as CVE-2022-23968 – was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.

The critical-severity issue can be triggered to at least partially brick a vulnerable device by causing a denial of service (DoS) condition in which the printer asks for a reboot. The error is triggered again immediately after reboot, in a continuous loop.

The flaw can be triggered using a specially crafted multi-page TIFF file that contains an incomplete image directory payload, NeoSmart Technologies security researcher Mahmoud Al-Qudsi, who identified the issue, explains.

Because the printer checks documents to identify resources needed to complete the printing operation, the TIFF handler in the printer’s firmware would fail to parse the incomplete image directories within the TIFF document, suspending the printing job.

“The printer firmware panics, displaying a message to the user indicating that an unexpected error has occurred and that a hard reboot is required for the printer to resume working,” Al-Qudsi notes.

Following a reboot, the printer attempts to resume the printing job and encounters the same issue. The loop can’t be broken by unplugging a device (that won’t clear printing jobs from the device’s memory).

What’s more, after the reboot, the print queue management interface cannot be accessed before the error and becomes inaccessible after that as well, so “there’s no means via any of the available user interfaces for the print queue to be cleared to break out of this vicious loop,” the researcher says.

Advertisement. Scroll to continue reading.

According to Al-Qudsi, the denial of service loop can be broken by launching a network firmware update process (if there are firmware updates pending), as it will clear the job queue. Manually clearing the storage module on the device – via physical access – should also resolve the issue (a Xerox field technician may find other ways to clear the NVRAM).

An attacker looking to exploit the vulnerability needs no special permissions, regardless of whether they have local (physical, USB, or LAN) access to the printer, or if they serve the specially crafted TIFF document over the Internet.

“The device’s web interface exposes an HTTP(S) POST interface that is not protected by any nonce and for which cross-site origin mitigations are useless as the response may be freely discarded,” Al-Qudsi says.

“Only the device’s name or IP address on the destination network is required, although even that is not required as it may be discovered via JavaScript given that the endpoint URL is fixed and IPv4 is enabled by default, limiting the possible search space,” he continues.

To mitigate the issue, the printer can be set to reject input from all unauthenticated users.

The researcher tested the vulnerability on Xerox VersaLink printers running firmware versions xx.42.01 and xx.50.61.

After Al-Qudsi made the vulnerability public at the beginning of this week, SecurityWeek contacted Xerox for clarification and was asked to wait for several days for a statement.

On Thursday, Xerox provided the following statement: “We are committed to upholding strong security standards and take that responsibility seriously. Xerox was made aware of a potential vulnerability impacting older versions of firmware on certain products.”

The vendor also announced that it has published an advisory for this critical vulnerability, which confirms that multiple VersaLink series models and two WorkCentre and Phaser models are impacted, and that the bug was addressed in June 2020, with the release of firmware version xx.61.23.

In the advisory, the company acknowledges Al-Qudsi as the reporting researcher and encourages customers to install the updated firmware versions as soon as possible, if they haven’t already.

Related: Critical Vulnerability Found in More Than 150 HP Printer Models

Related: Millions of Devices Affected by Vulnerability in HP, Samsung, Xerox Printer Drivers

Related: Printers Hacked for First Time at Pwn2Own

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.