Brother Printer Bug In 689 Models Exposes Millions To Hacking (securityweek.com) 32
An anonymous reader quotes a report from SecurityWeek: Hundreds of printer models from Brother and other vendors are impacted by potentially serious vulnerabilities discovered by researchers at Rapid7. The cybersecurity firm revealed on Wednesday that its researchers identified eight vulnerabilities affecting multifunction printers made by Brother. The security holes have been found to impact 689 printer, scanner and label maker models from Brother, and some or all of the flaws also affect 46 Fujifilm Business Innovation, five Ricoh, six Konica Minolta, and two Toshiba printers. Overall, millions of enterprise and home printers are believed to be exposed to hacker attacks due to these vulnerabilities.
The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."
Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.
The most serious of the flaws, tracked as CVE-2024-51978 and with a severity rating of 'critical', can allow a remote and unauthenticated attacker to bypass authentication by obtaining the device's default administrator password. CVE-2024-51978 can be chained with an information disclosure vulnerability tracked as CVE-2024-51977, which can be exploited to obtain a device's serial number. This serial number is needed to generate the default admin password. "This is due to the discovery of the default password generation procedure used by Brother devices," Rapid7 explained. "This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process."
Having the admin password enables an attacker to reconfigure the device or abuse functionality intended for authenticated users. The remaining vulnerabilities, which have severity ratings of 'medium' and 'high', can be exploited for DoS attacks, forcing the printer to open a TCP connection, obtain the password of a configured external service, trigger a stack overflow, and perform arbitrary HTTP requests. Six of the eight vulnerabilities found by Rapid7 can be exploited without authentication. Brother has patched most of the flaws, but CVE-2024-51978 requires a new manufacturing process to fully resolve, which will apply only to future devices.
Oh ... (Score:3)
Oh Brother...
Do not buy standard printers (Score:2)
They are total scams. Mainly because some shmucks tried the 'razor blade' model, aka cheap initial buy with overpriced consumable (ink). The scum even once made it so that scanner/printers would not scan if you were out of ink.
These scumbags took over the ink based printer industry and no major ink based printer is honest any more.
If you need a printer and do not use it every single week, get an inkless printer. For special jobs (Resumes, etc) use a copy shop.
Re:Do not buy standard printers (Score:5, Interesting)
read the terms of service
It's almost as if there's no privacy anymore
Re:Do not buy standard printers (Score:4, Informative)
Re: Do not buy standard printers (Score:5, Insightful)
Actually, Brother printers have traditionally been one of the best responses to the razors-and-blades scam.
Yes, they sell toner (for mine), but there's no vendor lock-in that I've been able to find (unlike HP, which I'll never buy).
They're solid, great value plays, for not much money.
What, are you just not going to have a printer?
Re: Do not buy standard printers (Score:4, Insightful)
I'm using third-party ink in my Brother all-in-one. Only real drawback is that the built-in ink level meters do not work, you need to go to the iPrint&Scan app.
A 60% discount on ink is worth it.
Not many other manufacturers tolerate third-party supplies well.
Re: (Score:3)
Historically accurate and I love me my Brother printers....but, they've started requiring chips in their cartridges which is the first step down the path to evil.
Re: (Score:2)
For inkjet Epson Eco-tank is also a thing, it is hard to lock-out ink poured from a bottle into a tank.
Know what you are buying, buyer beware etc.
HP is dead to many, sadly there will always be sheep.
Unfortunate (Score:3)
Once again, vulnerabilities because of not changing the default password. When will people learn?
My 26 year old... (Score:3)
My 26 year old Brother HL-5370DW isn't on the list! Yay! And it even still works just fine...
Now if I could just find a device driver for my wife's laptop...
T
So... How is this an "arm waving" problem? (Score:3, Insightful)
Re: (Score:3)
It's a printer. It's almost as if every security story these days make it sound like the world will end. Do you put your printer on the Internet?
Yeah, I use wifi printing almost exclusively these days. Can't remember the last time I plugged a printer wire into my laptop.
Re: (Score:2)
More and more people actually print straight from their phones. Or just occasionally. It is just easier/faster. Phones require wi-fi printing, thus connected to your home router... and the internet. So, yes, probably 90-99% of people put their printer on the internet.
Re: (Score:2)
on linux, with brother printer, get the universal installer, it finds your printer model and downloads and prompts you to install printer and scanner drivers.
Install only those 2 things, and nothing else. Connect your printer by USB.
You can remain private if you do that.
It is a bit hysterical (Score:2)
If a hacker already has access to the net the printer is on then you're screwed anyway. The printer will be the least interesting thing for him to hack.
Re: (Score:2)
Only if you're relying on perimeter security rather than a zero trust model.
With a perimeter model the printer could be the access vector that gets you behind the perimeter.
Re: So... How is this an "arm waving" problem? (Score:2)
I think one of the issues is that the printer can become a platform for creating DDOS attacks, outbound from your network: part of a botnet.
Placing it on your local network is protection from somebody accessing it directly from the Internet, but not from automated attacks from other affected devices on your network.
Re: (Score:2)
Multi-function printer/scanner/copier/fax machines have always had the crappiest security of pretty much any common tech device since their introduction. They're surprisingly capable, with massive storage, hard-coded passwords, insecure wireless and bluetooth, analog phone connection, and almost always running a years-outdated version of Linux. Just among the clients of my former employer the FTP site of one was used to host kiddie porn (customer wondered why incoming Internet traffic had spiked), and the
Re: (Score:2)
There was a great talk at Defcon about how they were able to send a malicious fax and deliver an exploit over the network to a windows box. https://threatpost.com/def-con... [threatpost.com]
Re: (Score:2)
My personal opinion is that this is a fairly low risk problem. But, it could be a serious problem in the ideal circumstance.
Assume you're a Chinese or North Korean agent and you've got one of these vulnerable printers in a high value target organization, CIA, MI6, the Kremlin. You, the attacker, craft a website with a page that contains requests to the printer's address. An address which you know from some previous scan or other magic. You then trick or phish a victim inside the building into going to your
Re: (Score:2)
Unless you want to physically go to the printer and plug in a cable, you'll probably network it, not that it's a huge problem really because you have to go to it to collect the paper anyway.
Creating an isolated airgapped network for the printer means you have to disconnect from your existing network first.
Putting the printer into its own isolated VLAN with limited access from wherever your user devices are works, but is more complex to set up.
If you're operating a perimeter based security model where you re
Re: So... How is this an "arm waving" problem? (Score:1)
It'd sure be nice to know... (Score:3)
If simply changing the admin password (as I have) is enough mitigation.
Is it possible to generate a magic password that opens admin access regardless?
Re: (Score:2)
Frequently these types of devices (don't specifically know about Brother printers) will have a second account, often with a hard-coded password) end users can't access that only the repair person is supposed to use. Of course those credentials escape into the wild almost immediately.
Re: It'd sure be nice to know... (Score:4, Informative)
Answering my own question: changing the default admin password apparently IS a mitigation for the issue that firmware update cannot fix.
https://support.brother.com/g/... [brother.com]
Same security rule as always (Score:2)
Don't connect your printer to the Internet.
I have a Brother printer much older than the ones with these bugs.
It connects to my Wi-Fi, but it has no Internet features whatsoever.
I've Seen A Lot of Printers And MFPs (Score:3)
I've seen a LOT of printers and MFPs, Brother or otherwise. admin admin works on 96% of them.
This particular vulnerability is way more complicated than the extensive amount of low hanging fruit that abounds. The only people getting excited about this one are the self gratifying security types. Regular users and admins are thinking; Yea? And?
Printers belong behind firewalls (Score:5, Informative)
And should never, ever be Internet-reachable. Seriously. How is this news?
Default passwords (Score:3)
So the problem is users having default passwords. A default which is generated from the serial number is a really half assed approach and only slightly better than the old admin/admin.
Serial numbers are sequential/predictable, so you could easily brute force if you know the algorithm.
For something like a printer there is a much better approach:
1) Listen only on the IPv6 link-local address by default - so there's no way to access it without being on the same VLAN.
2) Disable remote functionality unless a physical control on the printer is set.
3) Keep the admin account locked by default - require the user to press a physical control on the printer to temporarily unlock the account. You could even have it generate and display a random password to the user - either on an inbuilt display which most of these printers have, or by printing it.
4) Force the password to be changed the first time the user logs in.
5) Tie management to the first device used to access the printer, again requiring a physical action to reset.