Vendor description
"Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers."
Source: https://en.wikipedia.org/wiki/Konica_Minolta
Business recommendation
Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically.
In case you didn't receive an update yet, approach your Konica Minolta contact.
SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS.
SEC Consult also published a blog post titled "Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable" containing a practical example of a possible attack vector.
Vulnerability overview/description
1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)
A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application.
By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only.
After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating- and file system, including configuration files, passwords in clear text, proprietary scripts and many more.
2) Terminal UI/Chromium running as root (CVE-2022-29587)
It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system.
3) Passwords stored in clear text on the file system (CVE-2022-29588)
Multiple passwords in clear-text were found on the file system of the printer.
This includes:
- Unix User Account Passwords
- Printer Administrative Passwords
Examples can be found in the following proof of concept section.
Proof of concept
The referenced screenshots in this advisory can be found in our blog post.
1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)
The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device.
Step 1 - Public User Access
The attacker has access as "Public User" to the device. The button is marked red in "step1.jpg".
Step 2 - Utility
An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg".
Step 3 - Utility again
An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg".
Step 4 – Accessing Chromium
A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg".
Step 5 – Attaching a keyboard
A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers.
Step 6 – Access Chromium Developer Console
Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg".
Step 7 – Accessing the file system
The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace".
For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext.
2) Terminal UI/Chromium running as root (CVE-2022-29587)
Files such as /etc/shadow can be accessed with the root user's permissions.
3) Passwords stored in clear text on the file system (CVE-2022-29588)
The following files containing clear text passwords were identified on the printer's file system:
3.1) /etc/shadow
The shadow file contained the password of the user ORDBMS. No passwords were set for other users.
3.2) /var/log/nginx/html/ADMINPASS
This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text.
Vulnerable / tested versions
According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected devices in the field are in the hundreds of thousands worldwide according to the vendor. These devices are also re-branded and sold by other companies.
The vulnerabilities have been tested on the following devices:
- C3350i
- C3300i