Did they expect such an abundant harvest? Researchers from the specialized firm RAPID7 led from May 2024 a security audit on several multifunction printers of the American manufacturer Brother. Their work has made it possible to identify eight usable safety flaws which had not yet been documented. They also confirmed that many of these vulnerabilities affected a significant part of the manufacturer’s productor, including on ranges other than multifunction printers.
In total, they claim that 689 aircraft are vulnerable at Brother. However, the brand would not have exclusivity: part of these faults would also have been noted on 46 Fujifilm printers, six at Konica Minolta, five at Ricoh, two at Toshiba, for a total of 748 models affected.
Vulnerability impossible to correct
The most serious of these flaws, recorded under the reference CVE-2024-51978 and qualified as criticism, is stamped as a vulnerability score (CVSS) of 9.8/10. Relatively simple to implement, it allows, according to RAPID7, to an attacker who has the serial number of the device to modify the default administrator password.
The researchers explain at this level to have discovered on an MFC L9570CDW printer that the default password of the administration was a sequence of eight characters, generated via an algorithm from the serial number of the machine. An attacker who would have this serial number would therefore be able to generate this password and therefore take control of the machine, or modify the access identifiers. Encryption appears to be defaulting in the eyes of researchers. “” We do not clearly know what cryptographic property This algorithm seeks to reach; Rather, it seems that it is an attempt to conceal the default password generation technique Comment the authors.
The problem is that this serial number would itself be vulnerable, especially due to another of the eight discovered flaws. The Faille CVE-2024-51977 opens up unauthorized access, without prior authentication, to the information contained in the /etc/mnt_info.csv file. “” The disclosed information includes the device model, the firmware version, the IP address and the serial number “, Specifies the notice.
In response to this double discovery, Brother invites users to modify without delay the administrator password of the apparatus concerned. The measurement is imposed on everyone, without waiting for a possible correction. “” Brother said that this vulnerability cannot be fully corrected in the firmware and required a change in the manufacturing process of all the models concerned “Says Rapid7. Pending this modification, the devices are therefore vulnerable.
A year before disclosure
Brother has ahead of Rapid7’s announcement with the online online on June 19 of an information note, which specifies the driving to be held in front of each of the latest documented vulnerabilities and made public. In addition to modifying the administrator password, suggested as an answer to three vulnerabilities, Brother recommends temporarily deactivating the WSD (Web Services for Devices) function and the TFTP (Trivial File Transfer Protocol), while waiting for an update of the firmware of the device concerned. The other incriminated manufacturers have also published dedicated alerts, and announced the upcoming deployment of fixes (Fujifilm, Ricoh, Toshiba, Konica Minolta).
As often in this kind of work, these discoveries have led to exchanges between the researchers and the manufacturers concerned, exchanges organized under the aegis of a third -party authority. Here, it is the JPCERT/CC, a Japanese alert and reaction center, which served as an intermediary and set the time before publication of the technical elements associated with the faults discovered.
