Critical bugs in Canon printers allow code execution and DDoS

Canon has fixed seven critical buffer overflow bugs affecting its multifunction printers and small office laser printers.

Tracked as CVE-2023-6229 to CVE-2023-6234 (plus CVE-2024-0244), impact several common processes across Canon product lines: the username or password process involved in mobile device authentication , such as the Service Location Protocol (SLP) attribute request process and more.

The company gave all of them a “critical” score of 9.8 out of 10 on the CVSS (Common Vulnerability Scoring System) scale. As explained in a safety warning, may allow unauthenticated attackers to remotely perform denial of service (DoS) or arbitrary code execution against any affected printer connected directly to the Internet. They also offer a handy pivot point for digging deeper into victim networks.

Reportedly, no exploitation has been observed in the wild so far the company’s European websitebut owners should look for indicators of compromise as the bugs have been publicly known but unpatched for months.

Difficult to manage: the problem of printer security

The seven vulnerabilities patched on February 5 were revealed along with dozens of others on Toronto’s Pwn2Own SOHO Smashup last summer, where contestants were invited to hack routers and then the SOHO (small office/home office) devices they connect to.

Printers, so rarely recognized as fertile ground for cyber attacksthey received their own category during the event.

“The attack surface is pretty large right now often overlookedespecially in small businesses, because it’s difficult to manage at an enterprise level,” explains Dustin Childs, threat awareness manager for Trend Micro’s Zero Day Initiative (ZDI), which organizes the Pwn2Own hacking competition. “I mean, it’s not like printers have automatic updates or other features that you can use to manage them easily and cleanly.”

He adds: “Printers have always been known for being finicky. We can go back to Office Space, one of the most important scenes where I took a baseball bat to the printer. It’s a joke, but it’s a joke based in reality. These things are difficult to manage. Drivers are difficult to manage. And they contain a lot of problematic software.”

As a result, an older office printer, connected to other, more sensitive devices in a small to medium business (SMB) network, tends to be quite easy to crack.

“I was a little shocked at how little they had to work on it to find truly workable exploits,” recalls Pwn2Own Toronto’s Childs. For example: “Last year someone played the Mario theme on a printer. And he said it took him longer to figure out how to play the Mario theme than it took him to make use of the printer.”

What SMBs can do to solve the printer security mess

In addition to the obvious step of updating to the latest firmware, Canon advises its customers to “set a private IP address for the products and create a network environment with a firewall or wired/Wi-Fi router that can limit access to the network”.

The advice addresses a broader point: Even though printers are thick and bulky, what is manageable is their connectivity.

“There used to be, believe it or not, addressable printers on the Internet. What companies did was eliminate printers from the Internet, which is a change from the last decade. Now we have them at our fingertips at least a firewall, or a router, or something“, explains Childs.

However, he adds, “as we have seen with PrintNightmare and other printer-based exploits, you can get past that firewall and then attack a printer, then move from that to other targets within an enterprise.” To prevent a compromised printer from reaching further into the network, SMBs need to focus on properly segmenting different areas of their networks .

The best way to protect the printers themselves, meanwhile, is to apply patches. As Childs recalls, “I can’t tell you how many times I heard about exploited printers that were three or four updates behind.”

Source link

Leave a Reply

Your email address will not be published. Required fields are marked *