Soure: T. Schneider via Shutterstock

A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment.

The vulnerabilities affect firmware version 57.69.91 and earlier in Xerox VersaLink C7025 multifunction printers (MFPs). Both flaws enable what are known as pass-back attacks, a class of attacks that essentially allow a bad actor to capture user credentials by manipulating the MFPs' configuration.

Complete Access to Windows Environments

In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post.

Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. Xerox has positioned its VersaLink family of printers as ideal for small and medium-sized workgroups that print around 7,000 pages per month.

The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability.

The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services.

In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. When the printer next tries to authenticate users by checking the LDAP User Mappings page, it connects to the attacker's fake LDAP server instead of the legitimate corporate LDAP server. This paves the way for the attacker to capture clear text LDAP service credentials, Heiland wrote.

CVE-2024-12511 allows similar credential capture when the SMB or FTP scan function is enabled on a vulnerable Xerox VersaLink C7025 printer. An attacker with admin-level access can modify the SMB or FTP server's IP address to their own malicious IP and capture SMM or FTP authentication credentials.

All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. "Also, it is often possible to query an MFP via SNMP and identify if LDAP services are enabled and configured."

The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. That would then allow them to pivot to more critical Windows systems within a compromised environment. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment.

"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. "If a Domain Admin account or account with elevated privileges was used for LDAP or SMB, then an attacker would have unfettered access to potentially everything within the organization's Windows environment."

An Ideal Scenario for Threat Actors

Jim Routh, chief trust officer at Saviynt, says an attacker would need relatively sophisticated technical skills to exploit these kinds of vulnerabilities. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside. "It's the ideal scenario for the threat actor," he notes. Every device connected to the Internet has configuration options that offer … an attack surface for the cybercriminal."

Xerox has released a patched version of the affected Xerox VersaLink MFP firmware, allowing customer organizations to update and fix the issues. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Also, organizations should avoid enabling the remote-control console for unauthenticated users."

Printer vulnerabilities are a growing problem for many organizations because of the rise in remote and hybrid work models. A 2024 study by Quocirca found 67% of organizations had experienced a security incident tied to a printer vulnerability, up from 61% the prior year. Despite the trend, many organizations continue to underestimate printer-related threats, making it a soft spot for attackers to target.