Multifunction printers of various brands: Active attacks on June vulnerabilities

The team behind the open-source protection software CrowdSec has registered active attacks via two vulnerabilities that affect hundreds of multifunction printer models from various manufacturers.

CVE-2024-51977 and CVE-2024-51978 have been known since the end of June – heise online reported at the time. What is new, however, is that exploit attempts are actually taking place. Anyone who has not yet installed the firmware updates that have been available for several weeks or taken the additional recommended security measures should do so now at the latest.

The potentially vulnerable devices include at least 689 different multifunction printers, scanners, and label printers from Brother, 46 printer models from Fujifilm, five printers from Ricoh, two models from Toshiba, and six devices from Konica Minolta.

The Rapid7 team has discovered the vulnerabilities currently being exploited. The team describes them in a blog post, together with other vulnerabilities affecting the same devices. Nothing is known about active attacks on the other vulnerabilities.

Printer hunt via CVE-2024-51977

CrowdSec's Intrusion Prevention System analyzes attacks from malicious IP addresses to detect and block them later. In this context, the team discovered a “broad scanning campaign” for printers that are accessible in the network and impacted by CVE-2024-51977 as an initial gateway, according to the press release.

The Threat-Intelligenze specialists have set up a website including an “exploit timeline” that shows attack attempts on the vulnerability from July 9 to the present day. The (rather low) number of attacks recorded daily based on community data says little about the actual size of the attack wave. However, the statistics show that exploit attempts have been made every day for a good two weeks. The website also lists specific attacker IPs below the timeline.

According to CrowdSec's analyses, various actors and strategies are behind the attacks. Some are deliberately trying to abuse the vulnerability for the initial entry into networks; others are probably automated attempts to set up IoT botnets. The latter could later use compromised printers for distributed denial of service (dDoS) attacks, for example.

Change and update default password now

CVE-2024-51977 “Medium” classification) makes it possible to extract the serial number of vulnerable printers with little effort. Their default password is derived from this number.

Once an attacker has found this out, CVE-2024-51978 (classification “critical”) enables the generation of an admin password – in the next step of the attack chain and thus full access to the vulnerable device. Of course, this only works if the default password has not been changed beforehand. This is exactly what owners of potentially affected devices should do to prevent attack attempts from coming to nothing.

In addition to this basic immediate measure, firmware updates are available from the manufacturers. Details can be found in the following security information:

• Brother Laser and Inkjet Printer Advisory
• Brother Document Scanner Advisory
• Brother Label Printer Advisory
• FUJIFILM Business Innovation Advisory
• Ricoh Advisory
• Toshiba Tec Corporation Advisory
• Konica Minolta, Inc. Advisory

(ovw)