Major vendors' business printers remotely abusable

Security researchers from UK vendor NCC Group have found serious vulnerabilties in networked business printers from popular vendors, flaws that can be used to remotely execute arbitrary code on the devices and help attackers move laterally across enterprise networks.

Apart form buffer overflows, NCC Group found scores of other exploitable vulnerabilties for denial of service attacks, information disclosure and cross-site scripting flaws.

One model from Kyocera had no fewer than 12 vulnerabilties, many of which could be used to run arbitrary remote code on the printer.

A Ricoh printer was also found to contain 12 vulnerabilties that could be exploited in a similar fashion, and a Xerox machine's Google Cloud Print implementation could be abused for remote code execution.

Earlier in May and June, NCC Group discovered similar vulnerabilties in printers from HP and Lexmark, which have now been patched.

Printers tested included:

• HP Color LastJet Pro MFP M281fdw
• Ricoh SP C250DN
• Xerox Phaser 3320
• Brother HL-L8360CDW
• Lexmark CX310DN
• Kyocera Ecosys M5526cdw

More models than the above may be vulnerable however, as vendors use similar software and hardware across product ranges.

NCC Group disclosed the vulnerabilities to the vendors in question, which have or are now developing patches for the flaws that users of the printers are urged to apply as soon as possible.

The security vendor's research director Matt Lewis said that while printers are not typically regarded as enterprise IoT, they are embedded devices that connect to sensitive corporate networks.

Lewis suggested that organisations need to pay attention to the threat from enterprise IoT and learn to make small changes to mitigate vulnerabilties.

This includes changing device defaults, and developing and enforcing secure printer configuration guides and regularly updating firmware.

Security researchers have long warned that networked office printers can be riddled with security holes which if exploited could leak sensitive information and be used to run malicious code.

In 2017 German Masters student Jens Müller analysed printer security, and found that vendors had not separated their. page description languages such as PostScript and PJL/PCL from the device control.

This means it is possible to execute a range of potentially damaging attacks, and bypass device security.

Müller cautioned against making printers accessible via the internet and suggested that users sandbox them as it was unlikely that the vendors would be able to update the non-open standards page description languages to deal with the security problems they bring.