Hundreds of printers at risk after security flaws uncovered

A series of security vulnerabilities affecting hundreds of printer, scanner, and label maker models has been discovered, potentially exposing enterprise and home users to remote attacks and network compromise.

Security researchers at Rapid7 have identified eight vulnerabilities across 742 models from four vendors, including 689 models from Brother, 46 from FUJIFILM Business Innovation, five from Ricoh, and two from Toshiba Tec Corporation. These issues could allow remote attackers to access affected devices and, in some cases, exploit wider network environments.

Critical authentication bypass

The most significant of the vulnerabilities, designated CVE-2024-51978, is an authentication bypass which allows unauthenticated attackers to generate a device's default administrator password. This is possible because the password is based on the device's serial number, which can be leaked via other vulnerabilities (CVE-2024-51977) or obtained using standard network protocols. If the default password has not been changed, attackers could gain full administrative access.

Rapid7 has worked in conjunction with JPCERT/CC and Brother for over a year to coordinate disclosure and remediation of these vulnerabilities. Brother has indicated that CVE-2024-51978 cannot be fully resolved through a firmware update, necessitating changes at the manufacturing level for future models. For existing devices, workaround measures are advised.

Other vulnerabilities

Additional vulnerabilities include stack-based buffer overflows (CVE-2024-51979) with the potential for remote code execution, server-side request forgery flaws (CVE-2024-51980 and CVE-2024-51981), denial-of-service issues (CVE-2024-51982 and CVE-2024-51983), and a credential disclosure weakness affecting external services like LDAP and FTP (CVE-2024-51984).

CVE-2024-51979, if exploited in combination with CVE-2024-51978, could result in unauthenticated remote code execution on the device. Denial-of-service vulnerabilities allow attackers to repeatedly crash affected devices. The server-side request forgery vulnerabilities may permit attackers to pivot into internal networks by making network requests via the device.

Overall, 691 models are affected by the authentication bypass, while 208 are affected by one of the denial-of-service issues. The vulnerabilities impact both enterprise and home users, particularly those who have not changed default device credentials.

Mitigation steps

Brother has released firmware updates to address seven of the eight vulnerabilities, with users urged to apply these updates alongside recommended workaround for CVE-2024-51978. This includes setting a unique, non-default administrator password for each device.

Stephen Fewer, Principal Security Researcher at Rapid7, recommends users take specific steps to mitigate risks.

"There are several steps a consumer should take. The first is to ensure their printer devices are running the latest version of the firmware that has been made available from the device's vendor. How to check this will be dependent on the model. Some models may have an app that can be used to administer the device, while some models may require a user to access the device via their web browser and manually check, or manually apply updates. In some cases, a device may receive and apply updates automatically; however, user confirmation of this is recommended. The second thing a consumer should do is manually ensure the administrator password for their printer device is set to a non-default value, i.e. a new complex value the user chooses. This will ensure a bad actor who can access the printer on the home network cannot use any default credentials to log into the device. In a non-enterprise environment this risk is lower, as home networks are not as complex or as exposed as enterprise environments. Best practices such as applying software updates and setting non-default passwords should always be followed, not only for printer devices but across all the technology used throughout a home network."

Brother, in a statement, acknowledged the discovery and subsequent disclosure period, saying: "Brother would like to thank Rapid7 for their efforts in discovering the issues. We have informed our customers about the mitigation on our website."

Wider industry impact

The flaws extend beyond Brother-branded devices because of original equipment manufacturer relationships with FUJIFILM Business Innovation, Ricoh, and Toshiba Tec Corporation. In total, 742 models are affected, underlining the breadth of the potential impact across the supply chain.

The vulnerabilities are tracked under eight designated Common Vulnerabilities and Exposures (CVE) identifiers. Rapid7, as the numbering authority, has published detailed technical information for each specific model, with industry practitioners encouraged to reference official CVE records for the most accurate data on affected devices.

Remediation for users

Users are advised to apply all firmware updates supplied by Brother and follow recommended mitigation steps. This includes both software-based fixes and the adoption of secure configuration practices, such as updating default passwords. A complete remediation for the authentication bypass will only be available for models produced under the revised manufacturing process.

Rapid7 has also published a whitepaper containing technical analysis and proof of concept code to assist security professionals in understanding and addressing these issues. The research credits Stephen Fewer, Principal Security Researcher at Rapid7, with the discovery and disclosure in accordance with the company's vulnerability policy.