Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory: Multiple Vulnerabilities in Xerox Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers.

The vulnerability list below was found affecting to several Xerox printers:

 

Technical Advisories:

Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13171
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some Xerox printers were affected by a several buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

The Google Cloud Printing implementation had a stack buffer overflow, causing a Denial of Service or Remote Code Execution vulnerability. This was caused by an insecure handling of the register parameters.

After reverse engineering the firmware, it was found that the google print implementations was affected by a stack buffer overflow, as the size used within a memcpy() function, which copied the “action” value into a local variable, was not checked properly.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13171
https://nvd.nist.gov/vuln/detail/CVE-2019-13171

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13165, CVE-2019-13168
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some Xerox printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in the attributes parsing and request parsing of the IPP service of Xerox devices that allow an attacker to crash the device and potentially execute arbitrary code.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13165
https://nvd.nist.gov/vuln/detail/CVE-2019-13165

CVE-2019-13168
https://nvd.nist.gov/vuln/detail/CVE-2019-13168

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

Multiple Buffer Overflows in Web Server  (CVE-2019-13169, CVE-2019-13172)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13169, CVE-2019-13172
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some Xerox printers were affected by a several buffer overflow vulnerabilities in the web application that would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests to the web server will cause a vulnerable device to crash. Buffer overflows have been identified in the Content-Type header and the authentication cookie that would allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13169
https://nvd.nist.gov/vuln/detail/CVE-2019-13169

CVE-2019-13172
https://nvd.nist.gov/vuln/detail/CVE-2019-13172

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13167)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13167
Risk: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)

Summary

Multiple Stored Cross-Site Scripting vulnerabilities were found in the Xerox Web Application.

Impact

Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.

Details

The web application was vulnerable to Cross-Site Scripting attacks. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.

CVSSv3 Base Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13167
https://nvd.nist.gov/vuln/detail/CVE-2019-13167

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13170)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13170
Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Summary

Some Xerox printers did not implement any mechanism to avoid cross-site request forgery attacks.

Impact

Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.

Details

Some Xerox printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process. 
2019-08-08: NCC Group Advisory released

References

CVE-2019-13170
https://nvd.nist.gov/vuln/detail/CVE-2019-13170

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

 

No Account Lockout Implemented (CVE-2019-13166)

Vendor: Xerox
Vendor URL: https://www.xerox.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13166
Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)

Summary

Some Xerox printers did not implement account lockout.

Impact

Local account credentials may be extracted from the device via brute force guessing attacks.

Details

Some Xerox printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Xerox in order to 
follow up the process. 
2019-08-08: NCC Group Advisory released

References

CVE-2019-13166
https://nvd.nist.gov/vuln/detail/CVE-2019-13166

Devices Affected

The table below shows the devices and firmware versions affected:

Xerox Models Affected Releases Fixed Releases
Phaser 3320 Phaser3320_V53.006.16.000  
  • Other models may also be affected

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com