A recent discovery by researchers at Rapid7 has shed light on critical vulnerabilities in a popular Xerox VersaLink C7025 multifunction printer that could potentially grant malicious actors complete access to an organization’s Windows environment. These vulnerabilities, which have since been patched by Xerox, exist in firmware version 57.69.91 and earlier.
The flaws in question allow for what are known as pass-back attacks, where attackers can manipulate the printer’s configuration to capture user credentials. Once a malicious actor successfully exploits these vulnerabilities, they could potentially harvest credentials for Windows Active Directory, enabling them to move laterally within an organization’s environment and compromise critical Windows servers and file systems.
Xerox describes the VersaLink C7025 as a multifunction printer with ConnectKey technology, which facilitates cloud and mobile device interactions. The technology boasts security features aimed at preventing attacks, detecting unauthorized changes, and safeguarding against data transmission breaches. These printers are ideal for small to medium-sized workgroups that print around 7,000 pages per month.
Rapid7 identified two vulnerabilities in the Xerox printer firmware – CVE-2024-12510 (LDAP pass-back vulnerability) and CVE-2024-12511 (SMB/FTP pass-back vulnerability), with respective CVSS scores of 6.7 and 7.6. These vulnerabilities could be exploited to redirect authentication credentials to attacker-controlled systems through LDAP or SMB services, potentially exposing sensitive information.
An attacker could tweak the printer’s LDAP configuration to point to a malicious LDAP server, intercepting credentials during authentication checks. Similarly, in the case of SMB/FTP services, an attacker with admin-level access could modify server IP addresses to capture authentication credentials. Identifying vulnerable printers involves checking for default passwords, LDAP/SMB configurations, and querying SNMP for LDAP service settings.
The repercussions of such an attack are dire, as gaining access to Windows Active Directory could allow bad actors to infiltrate critical systems within an organization. Attackers could exploit Domain Admin credentials stored in printer settings to gain complete control over Windows environments, potentially compromising file services, domain information, email accounts, and databases.
Jim Routh, chief trust officer at Saviynt, acknowledges the technical prowess required to exploit these vulnerabilities, emphasizing the widespread impact of such attacks. Xerox has released patched firmware to address these issues, urging organizations to update promptly and implement strong password policies to mitigate risks. Failure to do so could leave organizations vulnerable to cybercriminal activities exploiting printer vulnerabilities.
Printer vulnerabilities pose a significant threat to organizations, especially in the current landscape of remote and hybrid work models. Studies indicate a rise in security incidents related to printer vulnerabilities, with many organizations underestimating the severity of such risks. Addressing these vulnerabilities requires proactive measures, including regular patching, robust passwords, and heightened awareness of potential threats. Ignoring the risks associated with printer security could leave organizations exposed to sophisticated attacks targeting their infrastructure.