- Security researchers found two flaws affecting Xerox Versalink MFP printers
- The flaws could be used in “pass-back” attacks to steal login credentials
- Patches and workarounds are already available, so update now
Some Xerox printers are vulnerable to a “pass-back” attack which can be used to steal login credentials, experts have warned.
Cybersecurity researchers Rapid7 discovered the vulnerability and reported it in an in-depth analysis, saying that during security testing, it found a vulnerability affecting Xerox Versalink MFP printers. This flaw can be abused either via LDAP, or SMB/FTP, to mount a pass-back attack, and with that in mind, it was given two CVEs: CVE-2024-12510 for LDAP, and CVE-2024-12511 for SMB/FTP. The vulnerabilities were given severity scores of 6.7/10 (medium) and 7.6/10 (high) respectively, and affect firmware versions 57.69.91 and earlier.
“This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor,” the researchers explained. “This style of attack can be used to capture authentication data.”
Capturing login credentials
The technical details can be found in the blog post here, but the gist is that if a threat actor gains access to a printer’s admin settings, and LDAP is used for authentication, they can change the LDAP server to the one they control, capturing login credentials.
They can also hijack the printer’s scan-to-file feature to steal SMB or FTP credentials, potentially compromising Windows Active Directory and other critical systems.
“For this attack to be successful, the attacker requires an SMB or FTP scan function to be configured within the user’s address book, as well as physical access to the printer console or access to remote-control console via the web interface,” the researchers stressed.
“This may require admin access unless user level access to the remote-control console has been enabled.”
After being tipped off, Xerox issued Service Pack Service Pack 57.75.53, which fixed the problem for VersaLink C7020, 7025, and 7030 series printers.
Those who are unable to apply the patches immediately are advised to set stronger passwords for their admin accounts, refrain from using Windows authentication accounts with high privileges, and disable the remote-control console for unauthenticated users.
Leave a comment