Security researchers have uncovered critical printer vulnerabilities in Xerox VersaLink C7025 Multifunction Printers (MFPs). These flaws could allow attackers to capture authentication credentials via pass-back attacks using Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
Overview of the Vulnerabilities
Deral Heiland, a security researcher at Rapid7, explained that these pass-back attacks take advantage of a vulnerability that enables a malicious actor to alter the MFP’s configuration. As a result, the device can be manipulated to send authentication credentials back to the attacker.
What Is a Pass-Back Attack?
A pass-back attack is a cyberattack where an attacker manipulates a system’s configuration to redirect authentication credentials back to themselves. This is typically done by altering network settings so that when a device, such as a printer or server, attempts to authenticate against a legitimate service (e.g., LDAP, SMB, or FTP), it instead sends the credentials to an attacker-controlled server. Once captured, these credentials can be used to gain unauthorized access to systems, potentially allowing lateral movement within a network to compromise sensitive data and infrastructure.
Heiland noted that if an attacker successfully exploits these vulnerabilities, they could capture Windows Active Directory credentials. This access would then allow them to move laterally within an organization’s network, potentially compromising critical Windows servers and file systems.
The identified vulnerabilities, affecting firmware versions 57.69.91 and earlier, include:
– CVE-2024-12510 (CVSS score: 6.7) – Pass-back attack via LDAP
– CVE-2024-12511 (CVSS score: 7.6) – Pass-back attack via the user’s address book
Impact and Exploitation
The exploitation of CVE-2024-12510 could enable authentication credentials to be redirected to a rogue server, thereby exposing sensitive information. However, executing this attack requires the attacker to gain access to the LDAP configuration page and for LDAP authentication to be in use.
Similarly, CVE-2024-12511 could allow an attacker to modify the user address book configuration to alter the SMB or FTP server’s IP address. This change would redirect the authentication process to a malicious server, enabling the attacker to capture SMB or FTP credentials during file scan operations.
Heiland emphasized that for this attack to work, the attacker would need an SMB or FTP scan function to be configured in the user’s address book. In addition, the attacker would require either physical access to the printer console or remote access through the web interface. In some cases, administrative access may be necessary unless user-level access to the remote-control console has been enabled.
Mitigation and Patching
Following responsible disclosure on March 26, 2024, Xerox addressed these vulnerabilities in Service Pack 57.75.53, released last month for VersaLink C7020, 7025, and 7030 series printers.
For organizations unable to apply the patch immediately, the following security measures are recommended:
- Set a complex password for the admin account.
- Avoid using Windows authentication accounts with elevated privileges.
- Disable remote-control console access for unauthenticated users.
The vulnerabilities in Xerox VersaLink MFPs and HealthStream MSOW highlight the increasing risks associated with network-connected devices and enterprise software, emphasizing the need for continuous monitoring and proactive security measures.
Milena Dimitrova
An inspired writer and content manager who has been with SensorsTechForum since the project started. A professional with 10+ years of experience in creating engaging content. Focused on user privacy and malware development, she strongly believes in a world where cybersecurity plays a central role. If common sense makes no sense, she will be there to take notes. Those notes may later turn into articles! Follow Milena @Milenyim
Follow Me: