Security Experts:

Connect with us

Hi, what are you looking for?



Xerox Quietly Patched Device-Bricking Flaw Affecting Some Printers

Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.

Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.

The security defect – now tracked as CVE-2022-23968 – was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.

The critical-severity issue can be triggered to at least partially brick a vulnerable device by causing a denial of service (DoS) condition in which the printer asks for a reboot. The error is triggered again immediately after reboot, in a continuous loop.

The flaw can be triggered using a specially crafted multi-page TIFF file that contains an incomplete image directory payload, NeoSmart Technologies security researcher Mahmoud Al-Qudsi, who identified the issue, explains.

Because the printer checks documents to identify resources needed to complete the printing operation, the TIFF handler in the printer’s firmware would fail to parse the incomplete image directories within the TIFF document, suspending the printing job.

“The printer firmware panics, displaying a message to the user indicating that an unexpected error has occurred and that a hard reboot is required for the printer to resume working,” Al-Qudsi notes.

Following a reboot, the printer attempts to resume the printing job and encounters the same issue. The loop can’t be broken by unplugging a device (that won’t clear printing jobs from the device’s memory).

What’s more, after the reboot, the print queue management interface cannot be accessed before the error and becomes inaccessible after that as well, so “there’s no means via any of the available user interfaces for the print queue to be cleared to break out of this vicious loop,” the researcher says.

According to Al-Qudsi, the denial of service loop can be broken by launching a network firmware update process (if there are firmware updates pending), as it will clear the job queue. Manually clearing the storage module on the device – via physical access – should also resolve the issue (a Xerox field technician may find other ways to clear the NVRAM).

An attacker looking to exploit the vulnerability needs no special permissions, regardless of whether they have local (physical, USB, or LAN) access to the printer, or if they serve the specially crafted TIFF document over the Internet.

“The device’s web interface exposes an HTTP(S) POST interface that is not protected by any nonce and for which cross-site origin mitigations are useless as the response may be freely discarded,” Al-Qudsi says.

“Only the device’s name or IP address on the destination network is required, although even that is not required as it may be discovered via JavaScript given that the endpoint URL is fixed and IPv4 is enabled by default, limiting the possible search space,” he continues.

To mitigate the issue, the printer can be set to reject input from all unauthenticated users.

The researcher tested the vulnerability on Xerox VersaLink printers running firmware versions xx.42.01 and xx.50.61.

After Al-Qudsi made the vulnerability public at the beginning of this week, SecurityWeek contacted Xerox for clarification and was asked to wait for several days for a statement.

On Thursday, Xerox provided the following statement: “We are committed to upholding strong security standards and take that responsibility seriously. Xerox was made aware of a potential vulnerability impacting older versions of firmware on certain products.”

The vendor also announced that it has published an advisory for this critical vulnerability, which confirms that multiple VersaLink series models and two WorkCentre and Phaser models are impacted, and that the bug was addressed in June 2020, with the release of firmware version xx.61.23.

In the advisory, the company acknowledges Al-Qudsi as the reporting researcher and encourages customers to install the updated firmware versions as soon as possible, if they haven’t already.

Related: Critical Vulnerability Found in More Than 150 HP Printer Models

Related: Millions of Devices Affected by Vulnerability in HP, Samsung, Xerox Printer Drivers

Related: Printers Hacked for First Time at Pwn2Own

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.


GoAnywhere MFT users warned about a zero-day remote code injection exploit that can be targeted directly from the internet