A recently discovered vulnerability in certain Lexmark devices’ embedded web server could allow unauthenticated remote code execution (RCE). The vulnerability, identified as CVE-2023-26068, is exposed when users select “Set up Later” instead of creating an Admin user during printer setup. This allows access to the endpoint `/cgi-bin/fax_change_faxtrace_settings` without authentication, leading to potential exploitation.
The problematic aspect of this vulnerability lies in the fact that several configurable parameters, like `FT_Custom_lbtrace`, are not properly sanitized before being used in a bash eval statement: `eval “$cmd” > /dev/null`. Due to this flaw, an unauthenticated attacker can run arbitrary commands on the affected Lexmark devices.
This RCE vulnerability was first discovered by cybersecurity researchers James Horseman and Zach Hanley, who provided their analysis and proof-of-concept. The Metasploit module for exploiting this vulnerability was later developed by jheysel-r7.
Lexmark has released a security alert to address this vulnerability and has provided additional information on its potential impact. The advisory highlights the need for immediate action to protect vulnerable Lexmark devices.
The Metasploit module, named “Lexmark Device Embedded Web Server RCE,” allows penetration testers and cybersecurity professionals to assess the vulnerability’s impact and demonstrate the potential risks associated with unpatched Lexmark devices. The module is ranked as an ExcellentRanking exploit, indicating its potential as a high-risk threat.
To exploit the vulnerability, the module sends a request to wake up the printer if it has been inactive for a certain period. Then, it executes the target payload, which is a cmd/unix/reverse_socat_tcp payload. This payload is compatible with the Unix system architecture and allows the attacker to establish a reverse TCP connection.
The exploit process includes sending an HTTP POST request to the vulnerable endpoint `/cgi-bin/fax_change_faxtrace_settings`. In the data section of the request, the parameter `FT_Custom_lbtrace` is set to `3;$(payload);#`, where `payload` represents the command to be executed by the attacker.
The potential impact of a successful exploit is significant. It could lead to unauthorized access, data breaches, or even the complete compromise of the affected Lexmark device. Therefore, it is crucial for Lexmark device users to apply the necessary patches and updates promptly.
Adversaries with the ability to exploit this vulnerability could gain full control over the device, potentially allowing them to move laterally within the affected network or install additional malicious software. This underscores the importance of proactive security measures and regular patching to mitigate the risks associated with such vulnerabilities.
Cybersecurity professionals and system administrators are advised to verify if they have any vulnerable Lexmark devices within their infrastructure. Applying the necessary security updates and firmware patches provided by Lexmark is essential to mitigate the risk of exploitation. It is also recommended to ensure that device configurations include an Admin user during setup to prevent unauthorized access via the vulnerable endpoint.
As research and development in the field of cybersecurity continue, vulnerabilities like the Lexmark Device Embedded Web Server RCE highlight the ongoing need for vigilance and proactive security measures. Regular vulnerability assessments, timely patch management, and a strong focus on securing networked devices are key to preventing potential breaches and maintaining the integrity of network infrastructures.