Xerox patched a device-bricking vulnerability in certain printer models more than a year and a half ago, but said nothing until this week, when information on the bug became public.
The security defect – now tracked as CVE-2022-23968 – was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.
The critical-severity issue can be triggered to at least partially brick a vulnerable device by causing a denial of service (DoS) condition in which the printer asks for a reboot. The error is triggered again immediately after reboot, in a continuous loop.
The flaw can be triggered using a specially crafted multi-page TIFF file that contains an incomplete image directory payload, NeoSmart Technologies security researcher Mahmoud Al-Qudsi, who identified the issue, explains.
Because the printer checks documents to identify resources needed to complete the printing operation, the TIFF handler in the printer’s firmware would fail to parse the incomplete image directories within the TIFF document, suspending the printing job.
“The printer firmware panics, displaying a message to the user indicating that an unexpected error has occurred and that a hard reboot is required for the printer to resume working,” Al-Qudsi notes.
Following a reboot, the printer attempts to resume the printing job and encounters the same issue. The loop can’t be broken by unplugging a device (that won’t clear printing jobs from the device’s memory).
What’s more, after the reboot, the print queue management interface cannot be accessed before the error and becomes inaccessible after that as well, so “there’s no means via any of the available user interfaces for the print queue to be cleared to break out of this vicious loop,” the researcher says.
According to Al-Qudsi, the denial of service loop can be broken by launching a network firmware update process (if there are firmware updates pending), as it will clear the job queue. Manually clearing the storage module on the device – via physical access – should also resolve the issue (a Xerox field technician may find other ways to clear the NVRAM).
An attacker looking to exploit the vulnerability needs no special permissions, regardless of whether they have local (physical, USB, or LAN) access to the printer, or if they serve the specially crafted TIFF document over the Internet.
“The device’s web interface exposes an HTTP(S) POST interface that is not protected by any nonce and for which cross-site origin mitigations are useless as the response may be freely discarded,” Al-Qudsi says.
To mitigate the issue, the printer can be set to reject input from all unauthenticated users.
The researcher tested the vulnerability on Xerox VersaLink printers running firmware versions xx.42.01 and xx.50.61.
After Al-Qudsi made the vulnerability public at the beginning of this week, SecurityWeek contacted Xerox for clarification and was asked to wait for several days for a statement.
On Thursday, Xerox provided the following statement: “We are committed to upholding strong security standards and take that responsibility seriously. Xerox was made aware of a potential vulnerability impacting older versions of firmware on certain products.”
The vendor also announced that it has published an advisory for this critical vulnerability, which confirms that multiple VersaLink series models and two WorkCentre and Phaser models are impacted, and that the bug was addressed in June 2020, with the release of firmware version xx.61.23.
In the advisory, the company acknowledges Al-Qudsi as the reporting researcher and encourages customers to install the updated firmware versions as soon as possible, if they haven’t already.