Rapid7 researchers have uncovered alarming vulnerabilities within Xerox VersaLink C7025 Multifunction printers (MFPs), exposing organizations to potential security threats. These vulnerabilities could allow attackers to capture sensitive authentication credentials through pass-back attacks utilizing Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
According to Rapid7's findings, these security risks stem from flaws present in firmware versions 57.69.91 and earlier. "While examining the Xerox VersaLink C7025, we found it was vulnerable to pass-back attacks," stated Deral Heiland, one of the researchers involved. "This pass-back style attack leverages vulnerabilities permitting malicious actors to alter the MFP's configuration and trigger the device to send authentication credentials back to them." Such methods could enable attackers to infiltrate corporate environments, compromising additional systems.
The research identified two main vulnerabilities: CVE-2024-12510 and CVE-2024-12511. The former carries a CVSS score of 6.7 and allows for pass-back attacks via LDAP, posing risks if LDAP is used for authentication. Essentially, this flaw allows redirected authentication information potentially exposing credentials to rogue servers.
The latter vulnerability, CVE-2024-12511, with a higher CVSS score of 7.6, permits unauthorized access to the user address book configuration. This flaw enables attackers to manipulate the SMB or FTP server's IP address, rerouting it to their control, effectively capturing credentials during file scan operations.
Heiland noted the conditions necessary for these attacks to succeed. "For this attack to be successful, the attacker requires SMB or FTP scan functions configured within the user’s address book, along with physical access to the printer console or remote-control console through the web interface. This may also require admin access if user-level access isn't enabled."
Following responsible disclosure on March 26, 2024, Xerox addressed these vulnerabilities with Service Pack 57.75.53, released recently for VersaLink C7020, 7025, and 7030 series printers. Nevertheless, interim protective measures are recommended for organizations unable to implement patches immediately.
Organizations should prioritize setting complex passwords for admin accounts and refrain from using Windows authentication accounts with elevated privileges. Also, it is prudent to disable the remote-control console for unauthenticated users to bolster security defenses.
These developments come as the cybersecurity industry grapples with other vulnerabilities, highlighted by Specular CEO Peyton Smith. He disclosed unauthenticated SQL injection vulnerabilities affecting the widely deployed healthcare software HealthStream MSOW, marking another significant challenge for IT security professionals.
Smith's observations indicate up to 50 instances of MSOW exposed to the internet, with 23 of those vulnerable to significant database compromises. This SQL injection issue could allow attackers access to sensitive data from 23 healthcare organizations through crafted HTTP payloads.
The cumulation of these vulnerabilities raises concerns across multiple sectors, emphasizing the pressing need for diligence and proactive security measures. Rapid7's research serves as both a warning and call to action for organizations using Xerox printers to take immediate steps to secure their devices and protect their networks from potential breaches.