Brother Printer Bug In 689 Models Exposes Millions To Hacking

An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.

The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. 'This is due to the discovery of the default password generation procedure used by Brother devices,' Rapid7 explained. 'This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process.'

Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.

Read more of this story at Slashdot.