The Humble Office Printer Could Take Down Your Network (Here's How to Prevent It)

Multifunction printers (MFPs) are frequently overlooked in vulnerability management. During a network breach, attackers do not limit themselves to high-value assets like servers or databases. They seek any system that can provide valuable information or assist them in escalating their privileges. MFPs often fall into this category for several reasons:

• Insufficient Protection: MFPs are often not included in security monitoring and vulnerability management programs.
• Inadequate Monitoring: Many organizations lack proper logging and alerting for printer-related activities.
• Storage of Sensitive Data: MFPs can store scanned documents, print job histories, and cached credentials, all of which may aid attackers in gaining further access.

A compromised MFP can act as a pivot point for attackers, serving as a potential entryway for further exploitation. Therefore, securing MFPs must be a critical component of any modern vulnerability management strategy.

Common MFP Vulnerabilities

It's important to recognize that multifunction printers (MFPs) are frequently used to scan documents to network shares or email inboxes. This functionality often requires integration with Active Directory or another authentication database, which means that credentials may be stored on these devices.

To effectively secure multifunction printers, organizations should implement the same structured vulnerability management process that they use for other IT assets.

When it comes to MFPs, we should take into account the following common security issues:

• Default or Weak Credentials: It is often possible to find an MFP connected to the network without a password configured for the management web interface or configured default password that is easy to guess.
• Unsecured Network Protocols: Protocols like SNMP v1/v2 or Telnet have known security vulnerabilities and can be exploited in an attack.
• Buffer Overflow and Remote Code Execution (RCE) Vulnerabilities: These risks may arise due to unpatched or outdated software versions, making MFPs an easy target for exploitation.

Asset Discovery & Inventory

It is essential to maintain an updated inventory of MFPs, including the model and firmware versions.

To identify all MFPs in the network, we can use traffic analysis with protocols like NetFlow and analyze DHCP logs to search for relevant MAC addresses.

Another effective method is network scanning. In addition to vulnerability scanners, we can use simpler solutions like network scanners. For example, Nmap can be utilized to scan the network and gather valuable information about connected MFPs.

The following command will scan the network using Nmap and execute a script to retrieve the title header of web applications, helping us identify the device vendor:

sudo nmap -P0 -vv -sS -script=http-title.nse -p 80,443 192.168.12.0/24 

Many MFPs have the SNMP protocol enabled by default. The command below will scan the network, connect to the SNMP service, and retrieve information using the snmp-info.nse script.

sudo nmap -P0 -sU -script=snmp-info.nse -p 161 -vv 192.168.21.0/24 

It is also a good idea to categorize certain MFPs as critical assets if they handle sensitive information.

Vulnerability Assessment

We can perform regular vulnerability scans using a scanner like Nessus, for example. Unfortunately, this is not always possible because printers are fragile devices, and in some cases, scanning them or sending data to specific ports may cause malfunctions or even disrupt their functionality.

An alternative approach to assessing vulnerabilities in MFPs is to monitor vendor security bulletins for updates and CVE disclosures.

Check for misconfigurations and vulnerabilities using self-crafted scripts.

As an additional step, we can create our own script if a vulnerability and its exploit are publicly available. For example, I wrote a Python script that scans an IP network for the CVE-2022-1026 vulnerability in Kyocera devices. I used a publicly available exploit, modified it, and integrated it into the scanning script.

python3 scan_kyocera.py 192.0.2.0/25 

\

from csv import reader, writer import socket import warnings import argparse from exp_kyocera import cve_kyocera import ipaddress  warnings.filterwarnings('ignore', message='Unverified HTTPS request')  ####### # #Port TCP 9091 should be accessible #In the address book of kyocera device there should be at least one record for exploit to work #To run: python3 scan_kyocera.py 192.0.2.0/25 # ##################  #Save results def write_results(inlist, resultname):     fileResults = open(resultname + '.csv', mode='w', encoding='utf8', newline='')     resultwriter = writer(fileResults, delimiter=',')     resultwriter.writerows(inlist)     fileResults.close()   #Args parser = argparse.ArgumentParser() parser.add_argument("network", help="network to scan with CIDR, example: 192.0.2.0/25") args = parser.parse_args()  net = args.network result_data = [['#', 'IP', 'Result']] target_network = ipaddress.ip_network(net) socket.setdefaulttimeout(1) #Timeout in seconds to wait on socket - 9091 n = 0 for t in target_network.hosts():     n += 1     target = str(t)     s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)     isopen = s.connect_ex((target, 9091))     if isopen == 0:         result = cve_kyocera(target)     else:         result = 'Timeout'     result_data.append([n, target, result])  #Write results write_results(result_data, 'results')  #Print vulnerable results print(result_data[0:1]) for r in result_data[1:]:     if r[2] == 'Vulnerable':         print(r) 

There was no other way to check all the devices for this vulnerability because the vulnerability scanner was unable to detect it.

Final Thoughts

Multifunction Printers (MFPs) are often overlooked in cybersecurity strategies, yet they can represent a significant vulnerability in corporate networks. These devices should be included in the risk prioritization process, where the impact and exploitability of detected vulnerabilities are evaluated, and patches are prioritized accordingly.

The typical remediation and hardening process should include the following steps:

• Change default credentials and enforce role-based access control (RBAC) if supported.
• Disable unnecessary services, such as Telnet, FTP, SNMP v1/v2, and any web interfaces, whenever possible.
• Apply firmware updates and security patches as soon as they become available.
• Enable secure communication protocols, including HTTPS, SFTP, and SNMP v3, for any necessary services.
• Restrict both physical and remote access to authorized personnel only.
• If syslog is available, configure log monitoring and auditing using a Security Information and Event Management (SIEM) solution.

\