NCC Group warns of security risks of leading printers

Researchers at NCC Group have uncovered “significant vulnerabilities” in six commonly used enterprise printers, highlighting the vast attack surface of printers and other internet-connected devices and the need to keep systems patched up to date.

Testing mid-range enterprise printers manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera and Brother, uncovered a wide range of vulnerability types using basic tools, with some vulnerabilities being  uncovered in minutes, the researchers said.

The testing included web applications, web services, firmware and update capability, as well as carrying out hardware analysis. 

The potential consequences of exploiting the vulnerabilities include denial of service attacks that could crash printers, the ability to add backdoors into printers to maintain attacker persistence on a network, the ability to spy on every print job sent to vulnerable printers, and the ability to forward them to an external internet-based attacker.

All of the vulnerabilities discovered during this research have either been patched or are in the process of being patched by the relevant manufacturers. NCC Group recommends that system administrators update any affected printers to the latest firmware available, and monitor for any further updates.

“Because printers have been around for decades, they’re not typically regarded as enterprise IoT [internet of things devices], yet they are embedded devices that connect to sensitive corporate networks, and therefore demonstrate the potential risks and security vulnerability posed by enterprise IoT,” said Matt Lewis, research director at NCC Group.

“Building security into the development lifecycle would mitigate most, if not all, of these vulnerabilities and so it’s therefore important that manufacturers continue to invest in and improve cyber security, including secure development training and carrying out thorough security assessments of all devices.

“Corporate IT teams can also make small changes to safeguard their organisation from IoT-related vulnerabilities, such as changing default settings, developing and enforcing secure printer configuration guides and regularly updating firmware.”

The printers tested by the researchers are: HP Color LastJet Pro MFP M281fdw; Ricoh SP C250DN; Xerox Phaser 3320; Brother HL-L8360CDW; Lexmark CX310DN; and Kyocera Ecosys M5526cdw.

The vulnerabilties in HP printers include buffer overflows, cross-site scripting (XSS) vulnerabilities and cross-site forgery countermeasures bypass.

HP has posted firmware updates to address potential vulnerabilities to some of its Color LaserJet series. "HP encourages customers to keep their systems updated to protect against vulnerabilities," the company said in a statement. 

The vulnerabilities in Lexmark printers include denial of service vulnerability, information disclosure vulnerabilities, lack of cross-site request forgery countermeasures and lack of account lockout.

The vulnerabilities in Kyocera printers include buffer overflows, broken access controls, cross-site scripting vulnerabilities and lack of cross-site request forgery countermeasures.

The vulnerabilities in Brother printers include stack buffer overflows, heap overflows and information disclosure vulnerabilities.

The vulnerabilities in Ricoh printers include buffer overflows, lack of account lockout, information disclosure vulnerabilities, denial of service vulnerabilities, lack of cross-site request forgery countermeasures and hardcoded credentials.

The vulnerabilities in Xerox printers include buffer overflows, cross-site scripting vulnerabilities, lack of cross-site request forgery countermeasures and lack of account lockout.