Device Brick Flaw in Xerox Patched
Share this:
A device bricking vulnerability in certain xerox printer models that persisted for more than a year and a half agochas been patched now.
The security defect tracked as CVE-2022-23968 was reported to Xerox in September 2019. In January 2020, the vendor had confirmed impact on at least one series of printer models, but said nothing else of the bug for two more years.
The flaw can be triggered using a specially crafted multi-page TIFF file that contains an incomplete image directory payload. Because the printer checks documents to identify resources needed to complete the printing operation, the TIFF handler in the printer’s firmware would fail to parse the incomplete image directories within the TIFF document, suspending the printing job.
After the reboot, the print queue management interface cannot be accessed before the error and becomes inaccessible after that as well, so there’s no means via any of the available user interfaces for the print queue to be cleared to break out of this vicious loop.
An attacker looking to exploit the vulnerability needs no special permissions, regardless of whether they have local access to the printer, or if they serve the specially crafted TIFF document over the Internet.
The device’s web interface exposes an HTTP(S) POST interface that is not protected by any nonce and for which cross-site origin mitigations are useless as the response may be freely discarded. Only the device’s name or IP address on the destination network is required, although even that is not required as it may be discovered via JavaScript given that the endpoint URL is fixed and IPv4 is enabled by default, limiting the possible search space. To mitigate the issue, the printer can be set to reject input from all unauthenticated users.
The researcher executed the vulnerability on Xerox VersaLink printers running firmware versions xx.42.01 and xx.50.61. Xerox announced that it has published an advisory for this critical vulnerability, which confirms that multiple VersaLink series models and two WorkCentre and Phaser models are impacted, and that the bug was addressed in June 2020.
