Recent security flaws have been uncovered in Xerox VersaLink C7025 Multifunction printers (MFPs), raising concerns about potential data breaches. These vulnerabilities could permit attackers to intercept authentication credentials through pass-back attacks linked to Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
According to Rapid7 security researcher Deral Heiland, the method of attack allows malicious actors to modify the printer’s configuration, effectively redirecting authentication credentials back to themselves. If exploited, these vulnerabilities could enable the unauthorized capture of Windows Active Directory credentials, facilitating lateral movement within an organization’s IT infrastructure.
More specifically, the identified vulnerabilities impact firmware versions 57.69.91 and earlier. The first, designated as CVE-2024-12510, carries a CVSS score of 6.7 and involves a pass-back attack utilizing LDAP. The second vulnerability, CVE-2024-12511, has a CVSS score of 7.6 and leverages a user’s address book to manipulate the SMB or FTP server’s IP address, redirecting authentication credentials to a server under an attacker’s control.
Successful exploitation of CVE-2024-12510 allows an attacker to reroute authentication information, potentially exposing sensitive credentials if the attacker possesses access to the LDAP configuration page. Similarly, CVE-2024-12511 enables access to modify the user address book, leading to potential credential capture during file scans.
Heiland emphasizes that an attacker would require proper configuration within the user’s address book, alongside either physical access to the printer console or remote access through the web interface. This often necessitates administrative privileges, unless user-level access has been generously granted.
Following responsible disclosure on March 26, 2024, Xerox addressed these vulnerabilities in Service Pack 57.75.53, made available late last month for the VersaLink C7020, 7025, and 7030 series printers. In scenarios where immediate patching is unfeasible, it is advisable for users to implement complex passwords for admin accounts, refrain from using highly privileged Windows authentication accounts, and disable remote access for unauthenticated users.
The discovery of these vulnerabilities comes in tandem with an unassociated report regarding a serious SQL injection vulnerability affecting HealthStream’s MSOW software, which poses significant risks to healthcare organizations by potentially compromising sensitive data. Specular CEO Peyton Smith highlighted the severity of an unauthenticated access flaw that could allow attackers to retrieve entire database contents via crafted SQL injections.
The implications of these vulnerabilities are profound, stressing the need for heightened cybersecurity awareness and proactive measures among businesses. By referencing the MITRE ATT&CK framework, organizations can better understand potential tactics and techniques employed by adversaries, including initial access and privilege escalation methods essential for recognizing and mitigating such risks.
As the cybersecurity landscape continues to evolve, robust security measures and timely patching play a critical role in safeguarding sensitive information against emerging threats.
