Multifunction printers (MFPs) are frequently overlooked in vulnerability management. During a network breach, attackers do not limit themselves to high-value assets like servers or databases. They seek any system that can provide valuable information or assist them in escalating their privileges. MFPs often fall into this category for several reasons: Insufficient Protection: MFPs are often not included in security monitoring and vulnerability management programs.
Inadequate Monitoring: Many organizations lack proper logging and alerting for printer-related activities.
Storage of Sensitive Data: MFPs can store scanned documents, print job histories, and cached credentials, all of which may aid attackers in gaining further access. Insufficient Protection: MFPs are often not included in security monitoring and vulnerability management programs. Insufficient Protection Inadequate Monitoring: Many organizations lack proper logging and alerting for printer-related activities. Inadequate Monitoring Storage of Sensitive Data: MFPs can store scanned documents, print job histories, and cached credentials, all of which may aid attackers in gaining further access. Storage of Sensitive Data A compromised MFP can act as a pivot point for attackers, serving as a potential entryway for further exploitation. Therefore, securing MFPs must be a critical component of any modern vulnerability management strategy. Common MFP Vulnerabilities It's important to recognize that multifunction printers (MFPs) are frequently used to scan documents to network shares or email inboxes. This functionality often requires integration with Active Directory or another authentication database, which means that credentials may be stored on these devices. To effectively secure multifunction printers, organizations should implement the same structured vulnerability management process that they use for other IT assets. When it comes to MFPs, we should take into account the following common security issues: Default or Weak Credentials: It is often possible to find an MFP connected to the network without a password configured for the management web interface or configured default password that is easy to guess.
Unsecured Network Protocols: Protocols like SNMP v1/v2 or Telnet have known security vulnerabilities and can be exploited in an attack.
Buffer Overflow and Remote Code Execution (RCE) Vulnerabilities: These risks may arise due to unpatched or outdated software versions, making MFPs an easy target for exploitation. Default or Weak Credentials: It is often possible to find an MFP connected to the network without a password configured for the management web interface or configured default password that is easy to guess. Default or Weak Credentials Unsecured Network Protocols: Protocols like SNMP v1/v2 or Telnet have known security vulnerabilities and can be exploited in an attack. Unsecured Network Protocols Buffer Overflow and Remote Code Execution (RCE) Vulnerabilities: These risks may arise due to unpatched or outdated software versions, making MFPs an easy target for exploitation. Buffer Overflow and Remote Code Execution (RCE) Vulnerabilities Asset Discovery & Inventory It is essential to maintain an updated inventory of MFPs, including the model and firmware versions. To identify all MFPs in the network, we can use traffic analysis with protocols like NetFlow and analyze DHCP logs to search for relevant MAC addresses. Another effective method is network scanning. In addition to vulnerability scanners, we can use simpler solutions like network scanners. For example, Nmap can be utilized to scan the network and gather valuable information about connected MFPs. Nmap The following command will scan the network using Nmap and execute a script to retrieve the title header of web applications, helping us identify the device vendor: sudo nmap -P0 -vv -sS -script=http-title.nse -p 80,443 192.168.12.0/24 sudo nmap -P0 -vv -sS -script=http-title.nse -p 80,443 192.168.12.0/24 Many MFPs have the SNMP protocol enabled by default. The command below will scan the network, connect to the SNMP service, and retrieve information using the snmp-info.nse script. snmp-info.nse sudo nmap -P0 -sU -script=snmp-info.nse -p 161 -vv 192.168.21.0/24 sudo nmap -P0 -sU -script=snmp-info.nse -p 161 -vv 192.168.21.0/24 It is also a good idea to categorize certain MFPs as critical assets if they handle sensitive information. critical assets Vulnerability Assessment We can perform regular vulnerability scans using a scanner like Nessus, for example. Unfortunately, this is not always possible because printers are fragile devices, and in some cases, scanning them or sending data to specific ports may cause malfunctions or even disrupt their functionality. Nessus An alternative approach to assessing vulnerabilities in MFPs is to monitor vendor security bulletins for updates and CVE disclosures. Check for misconfigurations and vulnerabilities using self-crafted scripts. As an additional step, we can create our own script if a vulnerability and its exploit are publicly available. For example, I wrote a Python script that scans an IP network for the CVE-2022-1026 vulnerability in Kyocera devices. I used a publicly available exploit, modified it, and integrated it into the scanning script. Python script CVE-2022-1026 python3 scan_kyocera.py 192.0.2.0/25 python3 scan_kyocera.py 192.0.2.0/25 from csv import reader, writer
import socket
import warnings
import argparse
from exp_kyocera import cve_kyocera
import ipaddress

warnings.filterwarnings('ignore', message='Unverified HTTPS request')

#######
#
#Port TCP 9091 should be accessible
#In the address book of kyocera device there should be at least one record for exploit to work
#To run: python3 scan_kyocera.py 192.0.2.0/25
#
##################

#Save results
def write_results(inlist, resultname):
    fileResults = open(resultname + '.csv', mode='w', encoding='utf8', newline='')
    resultwriter = writer(fileResults, delimiter=',')
    resultwriter.writerows(inlist)
    fileResults.close()


#Args
parser = argparse.ArgumentParser()
parser.add_argument("network", help="network to scan with CIDR, example: 192.0.2.0/25")
args = parser.parse_args()

net = args.network
result_data = [['#', 'IP', 'Result']]
target_network = ipaddress.ip_network(net)
socket.setdefaulttimeout(1) #Timeout in seconds to wait on socket - 9091
n = 0
for t in target_network.hosts():
    n += 1
    target = str(t)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    isopen = s.connect_ex((target, 9091))
    if isopen == 0:
        result = cve_kyocera(target)
    else:
        result = 'Timeout'
    result_data.append([n, target, result])

#Write results
write_results(result_data, 'results')

#Print vulnerable results
print(result_data[0:1])
for r in result_data[1:]:
    if r[2] == 'Vulnerable':
        print(r) from csv import reader, writer
import socket
import warnings
import argparse
from exp_kyocera import cve_kyocera
import ipaddress

warnings.filterwarnings('ignore', message='Unverified HTTPS request')

#######
#
#Port TCP 9091 should be accessible
#In the address book of kyocera device there should be at least one record for exploit to work
#To run: python3 scan_kyocera.py 192.0.2.0/25
#
##################

#Save results
def write_results(inlist, resultname):
    fileResults = open(resultname + '.csv', mode='w', encoding='utf8', newline='')
    resultwriter = writer(fileResults, delimiter=',')
    resultwriter.writerows(inlist)
    fileResults.close()


#Args
parser = argparse.ArgumentParser()
parser.add_argument("network", help="network to scan with CIDR, example: 192.0.2.0/25")
args = parser.parse_args()

net = args.network
result_data = [['#', 'IP', 'Result']]
target_network = ipaddress.ip_network(net)
socket.setdefaulttimeout(1) #Timeout in seconds to wait on socket - 9091
n = 0
for t in target_network.hosts():
    n += 1
    target = str(t)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    isopen = s.connect_ex((target, 9091))
    if isopen == 0:
        result = cve_kyocera(target)
    else:
        result = 'Timeout'
    result_data.append([n, target, result])

#Write results
write_results(result_data, 'results')

#Print vulnerable results
print(result_data[0:1])
for r in result_data[1:]:
    if r[2] == 'Vulnerable':
        print(r) There was no other way to check all the devices for this vulnerability because the vulnerability scanner was unable to detect it. Final Thoughts Multifunction Printers (MFPs) are often overlooked in cybersecurity strategies, yet they can represent a significant vulnerability in corporate networks. These devices should be included in the risk prioritization process, where the impact and exploitability of detected vulnerabilities are evaluated, and patches are prioritized accordingly. The typical remediation and hardening process should include the following steps: Change default credentials and enforce role-based access control (RBAC) if supported.
Disable unnecessary services, such as Telnet, FTP, SNMP v1/v2, and any web interfaces, whenever possible.
Apply firmware updates and security patches as soon as they become available.
Enable secure communication protocols, including HTTPS, SFTP, and SNMP v3, for any necessary services.
Restrict both physical and remote access to authorized personnel only.
If syslog is available, configure log monitoring and auditing using a Security Information and Event Management (SIEM) solution. Change default credentials and enforce role-based access control (RBAC) if supported. Disable unnecessary services, such as Telnet, FTP, SNMP v1/v2, and any web interfaces, whenever possible. Apply firmware updates and security patches as soon as they become available. Enable secure communication protocols, including HTTPS, SFTP, and SNMP v3, for any necessary services. Restrict both physical and remote access to authorized personnel only. If syslog is available, configure log monitoring and auditing using a Security Information and Event Management (SIEM) solution.

Discovery

No-Code EPSS-Powered Vulnerability Management in Budibase

About Mikhail

Too Long; Didn't Read

Boost your HackerNoon story @ $159.99! 🚀

The Humble Office Printer Could Take Down Your Network (Here's How to Prevent It)

About Author

Comments

TOPICS

THIS ARTICLE WAS FEATURED IN

Related Stories

Untitled Story

Discover Your Most Critical Assets Before Hackers Do

Legacy Systems and CVEs: The Unseen Threat to Ghana's Digital Landscape

Detecting and Mitigating Fake Contact Data: A Case Study with Apple Ecosystem Signals

Meet the “Chronic Clicker”: The Hidden Threat Inside Every Company

Windows Sticky Keys Exploit: The War Veteran That Never Dies

Discover Your Most Critical Assets Before Hackers Do

Legacy Systems and CVEs: The Unseen Threat to Ghana's Digital Landscape

Detecting and Mitigating Fake Contact Data: A Case Study with Apple Ecosystem Signals

Meet the “Chronic Clicker”: The Hidden Threat Inside Every Company

Windows Sticky Keys Exploit: The War Veteran That Never Dies

Light-Mode

Classic

Newspaper

Dark-Mode

Neon Noir

Minty

HN StartUps