itb-au logo
Story image

Popular enterprise printers riddled with security risks

15 Aug 2019

Six common enterprise printers are so riddled with vulnerabilities that highlight just how many organisations and manufacturers neglect to look after their devices - but in this case, the manufacturers are promising to patch them.

Researchers from NCC Group analysed different aspects of six mid-range enterprise printers manufactured by HP, Ricoh, Xerox, Lexmark, Kyocera, and Brother. 

The researchers tested everything from hardware analysis, web application and web services, firmware, and update capabilities. 

They found numerous vulnerabilities in each printer, all of which range in severity. Potential impacts include denial of service attacks that could cause the printers to crash, backdoors within compromised printers to maintain a hidden presence on the network, and the ability to spy on every print job sent and send print jobs through to unauthorised parties.

“Because printers have been around for so long, they’re not seen as enterprise IoT devices—but they’re embedded in corporate networks and therefore pose a significant risk,” says NCC Group research director Matt Lewis.

“Building security into the development lifecycle would mitigate most if not all of these vulnerabilities. It’s very important that manufacturers continue to invest in security for all devices, just as corporate IT teams should guard against IoT-related vulnerabilities with even small change: changing default settings, enforcing secure configuration guides and regularly updating firmware.”

According to NCC Group, all uncovered vulnerabilities have been issued patches – or they will be. System administrators are advised to update all vulnerable printers with the latest firmware, and monitor further updates.

“These examples demonstrate just how careful manufacturers and the enterprises using their devices need to be when it comes to ensuring network-connected printers are up to scratch in terms of cybersecurity,” the researchers state.

Full list of vulnerabilities:

Brother printers

  • Stack Buffer Overflow in Cookie Values (CVE-2019-13193)
  • Heap Overflow in IPP Attribute Name (CVE-2019-13192)
  • Information Disclosure Vulnerability (CVE-2019-13194)

HP printers

  • Multiple Buffer Overflows in IPP Service (CVE-2019-6327)
  • Buffer Overflow in Web Server (CVE-2019-6326)
  • Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324)
  • Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)

Kyocera printers

  • Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206)
  • Multiple Buffer Overflows in IPP Service (CVE-2019-13204)
  • Buffer Overflow in LPD Service (CVE-2019-13201)
  • Path Traversal (CVE-2019-13195)
  • Broken Access Controls (CVE-2019-13205)
  • Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13198, CVE-2019-13200)
  • Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13199)

Lexmark printers

  • SNMP Denial of Service Vulnerability (CVE-2019-9931)
  • Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
  • Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)
  • Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)
  • Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-10057)
  • No Account Lockout Implemented (CVE-2019-10058)

Ricoh printers

  • Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300)
  • Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307)
  • Buffer Overflow Parsing LPD Packets (CVE-2019-14308)
  • No Account Lockout Implemented (CVE-2019-14299)
  • Multiple Information Disclosure Vulnerabilities (CVE-2019-14301, CVE-2019-14306)
  • Wrong LPD Implementation Lead to Denial of Service (CVE-2019-14303)
  • Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-14304)
  • Buffer Overflow in IPP Service (CVE-2019-14310)
  • Hardware Serial Connector Exposed (CVE-2019-14302)
  • Hardcoded Credentials (CVE-2019-14309)

Xerox printers

  • Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171)
  • Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168)
  • Multiple Buffer Overflows in Web Server (CVE-2019-13169, CVE-2019-13172)
  • Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13167)
  • Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13170)
  • No Account Lockout Implemented (CVE-2019-13166)
Story image
What will our workplaces look like in the near future?
A new survey from collaboration technology provider Barco looks into remote working and how it has changed and developed during the COVID-19 pandemic. More
Story image
The ins and outs of cloud-native computing
For businesses and other organisations that want to get the most out of their approach to the cloud, cloud-native computing may provide the answer, writes Gigamon country manager for A/NZ George Tsoukas.More
Story image
Video: 10 Minute IT Jams - Who is OutSystems?
In this IT Jam, we speak with OutSystems vice president for A/NZ Paul Arthur, who discusses the company's role in the A/NZ region, how things have changed for the company and the industry amid pandemic, and what he sees in the future of visual development and digital transformation.More
Link image
Where is your data? You'll find out in 2021
Next year, we will start to realise exactly how much intellectual property was stolen by attackers during the 2020 remote working shift, writes Forcepoint global CTO Nicolas Fischbach.More
Story image
Why tool consolidation should be a top priority for businesses
How can businesses expect to scale for their biggest day when a single, unified view of their infrastructure doesn’t exist? The impact on the business is too high to ignore, writes New Relic APJ executive vice-president and general manager Dmitri Chen.More
Story image
Webinar: The future of data centres in the face of climate change
Digital Realty has today announced a webinar based on its recent report exploring the role of data centres within the climate change debate, and will explore the viable solutions available to help data centre operators fight the rising tide of environmental challenges.More