Sandbox Escape with Root Access & Clear-text passwords in Konica Minolta bizhub MFP Printer Terminals

Title

Sandbox Escape with Root Access & Clear-text passwords

Product

Multiple Konica Minolta bizhub MFP Printer Terminals

Vulnerable Version

see vulnerable / tested versions below

Fixed Version

see solution section below

CVE Number

CVE-2022-29586, CVE-2022-29587, CVE-2022-29588

Impact

critical

Homepage

https://www.konicaminolta.com

Found

25.11.2019

By

Werner Schober (Office Vienna) Johannes Kruchem (Office Vienna) SEC Consult Vulnerability Lab

Multiple Konica Minolta MFP bizhub devices, as well as devices from other manufacturers with the same firmware, are vulnerable to a sandbox breakout via the internal browser that displays the help menus. The browser itself is started with root privileges, which allows access to the complete file system. A file in the file system contained the administrator password for the printer's web interface in plain text.

Vendor description

"Konica Minolta is a Japanese multinational technology company headquartered in Marunouchi, Chiyoda, Tokyo, with offices in 49 countries worldwide. The company manufactures business and industrial imaging products, including copiers, laser printers, multi-functional peripherals (MFPs) and digital print systems for the production printing market. Konica Minolta's Managed Print Service (MPS) is called Optimised Print Services. The company also makes optical devices, including lenses and LCD film; medical and graphic imaging products, such as X-ray image processing systems, colour proofing systems, and X-ray film; photometers, 3-D digitizers, and other sensing products; and textile printers." 

Source: https://en.wikipedia.org/wiki/Konica_Minolta 

 

Business recommendation

Konica Minolta provided a patch of the firmware and operating system very quickly at the start of the year 2020. For most of the devices this firmware update must be manually applied by service technicians as a remote service platform for remote firmware updates is not fully rolled out yet. Multiple COVID-19 lockdowns delayed this patching process of over hundreds of thousands of devices drastically. 

In case you didn't receive an update yet, approach your Konica Minolta contact. 

SEC Consult recommends to perform a thorough security review conducted by security professionals to identify and resolve all security issues. Furthermore, it is necessary to implement secure software design early in the development life cycle and adapt secure patch management procedures through an ISMS. 

SEC Consult also published a blog post titled "Someone call the patch manager - how COVID-19 left hundreds of thousands of printers vulnerable" containing a practical example of a possible attack vector. 

 

Vulnerability overview/description

1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586) 

A touch screen terminal is attached to the printer in order to manage print jobs, create new scans, simply copy a page or to configure the device. The touch screen terminal hosts a user interface, which is based upon a proprietary application. 

By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application only. 

After attaching a keyboard to one of the multiple USB ports of the printer and pressing specific key combinations, it was possible to determine that some application parts are running an ordinary Chromium browser in "kiosk mode", which can be escaped easily, although most of the key combinations were blacklisted. This allows an attacker to get full access to the underlying printer's operating-  and file system, including configuration files, passwords in clear text, proprietary scripts and many more. 

2) Terminal UI/Chromium running as root (CVE-2022-29587) 

It was determined that the printer UI and the Chromium browser are running with root privileges after escaping the printer terminal's sandbox. This allows an attacker to get full access to all files and folders on the operating system.  

3) Passwords stored in clear text on the file system (CVE-2022-29588) 

Multiple passwords in clear-text were found on the file system of the printer. 

This includes: 

  • Unix User Account Passwords 
  • Printer Administrative Passwords 

Examples can be found in the following proof of concept section.  

Proof of concept

The referenced screenshots in this advisory can be found in our blog post.

1) Sandbox Escape on the Physical Printer Touch Screen Terminal (CVE-2022-29586)  

The following steps are necessary to get full access to the printer's operating system. It is necessary to have physical access to the device and "User Authentication" must be used and "Public User Access" must be enabled on the device.   

Step 1 - Public User Access 

The attacker has access as "Public User" to the device.  The button is marked red in "step1.jpg". 

Step 2 - Utility 

An attacker has to click on the button called "Utility" in the user interface which should be open after step 1. The button is marked red in "step2.jpg". 

Step 3 - Utility again 

An attacker has to click on the slightly different "Utility" button again in the next window. The button is marked red in "step3.jpg". 

Step 4 – Accessing Chromium 

A slight change in the design of the user interface can be observed after clicking on the "Utility" button marked red in the step above. The reason for that is that the application, which is now visible, is launched inside of a Chromium browser in kiosk mode. The loaded web application in Chromium can be seen in image "step4.jpg". 

Step 5 – Attaching a keyboard 

A keyboard has to be attached to the printer to breakout of the terminal's sandbox and get access to the operating system. This can be done directly via the USB port available on all printers. 

Step 6 – Access Chromium Developer Console 

Most of the shortcuts available on a normal Linux operating system are blocked or crash the printer terminal, but it was still possible to get full access to the system by pressing the key F12, which opened up the Chromium developer console. This can be seen in "step6.jpg". 

Step 7 – Accessing the file system 

The tab sources in the Chromium developer tools can be used to get full file system access. Arbitrary folders can be added and read by clicking on "Add folder to workspace".

For example, the folder /var/log/nginx/html/ got added to Chromium, which revealed a lot of interesting files. The probably most interesting one is the file called "ADMINPASS" containing the printer's administrator account password in cleartext. 

2) Terminal UI/Chromium running as root  (CVE-2022-29587)  

Files such as /etc/shadow can be accessed with the root user's permissions. 

3) Passwords stored in clear text on the file system  (CVE-2022-29588)  

The following files containing clear text passwords were identified on the printer's file system: 

3.1) /etc/shadow 

The shadow file contained the password of the user ORDBMS. No passwords were set for other users. 

3.2) /var/log/nginx/html/ADMINPASS 

This file contains the password for the printer's web interface. Another file with sensitive content was found in /var/log/nginx/html. The "ADMINPASS" file contained the administrator's password for the printer's terminal/web interface in clear text. 

Vulnerable / tested versions

According to Konica Minolta, 46 bizhub MFP models are affected. The number of affected  devices in the field are in the hundreds of thousands worldwide according to the vendor.  These devices are also re-branded and sold by other companies. 

The vulnerabilities have been tested on the following devices: 

  • C3350i 
  • C3300i 

Konica Minolta provided the following list of affected models / versions: 

​Model name Affected FW version CVE-ID
bizhub 227, 287, 367, 308, 368, 458, 558, 758, 808, 958, PRO958, 308e, 368e, 458e, 558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759, C3351, C3851, C3851FS G00-U8 or later CVE-2022-29586 CVE-2022-29587
bizhub C450i, C550i, C650i G00-73 or later CVE-2022-29586 CVE-2022-29587
bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i G00-73 or later CVE-2022-29586 CVE-2022-29587
bizhub C250i, C300i, C360i, C4050i, C3350i, C4000i, C3300i Gxx-4A or prior CVE-2022-29586 CVE-2022-29587 CVE-2022-29588
bizhub 306i, 226i, 246i, 266i, C3320i Gxx-4A or prior CVE-2022-29588 CVE-2022-29587 CVE-2022-29586

Vendor contact timeline:

2020-01-16 Contacting vendor through "KONICA MINOLTA PSIRT Vulnerability Report Form"
2020-01-16 Vendor responds with GPG public key for psirt@konicaminolta.com
2020-01-16 Forwarding encrypted advisory to Konica Minolta PSIRT
2020-01-29 Update from Konica Minolta PSIRT - The reported vulnerabilities were successfully reviewed and will be patched in a future firmware release. The release date will be provided soon.
2020-2022 Postponing release multiple times as the remote service platform for remote firmware updates has not been rolled out for most devices yet and hundreds of thousands of printers have to be patched manually on-site during the COVID-19 pandemic.
2022-04-13 Requesting status update from Konica Minolta PSIRT.
2022-04-14 Konica Minolta PSIRT responds by stating that all devices directly affected have already been patched.
2022-04-25 Sending security advisory draft to vendor for review.
2022-05-09 Konica Minolta provides a list of affected models and feedback.
2022-05-10 Receiving further feedback, adjusting advisory.
2022-05-12 Coordinated release of security advisory

Solution

Konica Minolta already provided a patch of the firmware and operating system at the start of the year 2020 that must be applied by service technicians manually on-site at all of their customer locations. Most affected devices don't have a remote service platform for remote firmware updates yet. If your service technician hasn't patched your system yet, schedule an appointment. 

It has to be noted that Konica Minolta tried to patch most of their printers as soon as possible, which is not an easy task due to the large amount of affected printers and their manual procedure during the COVID-19 pandemic with multiple lockdowns. 

Konica Minolta provided the following list of models with fixed FW versions: 

Model name Fixed FW version
bizhub 227, 287, 367, 308, 368, 458, 558,758, 808, 958, PRO958, 308e, 368e, 458e,558e, 658e, 4752, 4052, C227, C287, C258, C308, C368, C458, C558, C658, C659, C759,C3351, C3851, C3851FS GC2-X4 or later
bizhub C550i, C650i G00-2B or later
bizhub C250i, C450i, C300i, C360i, C4050i, C3350i, C4000i, C3300i G00-7B or later
bizhub C3320i G00-4D or later
bizhub 306i, 226i, 246i, 266i G00-4F or later

Workaround

The following hardening/workaround is available and was provided directly from Konica Minolta. 

  • Disable the use of the external USB keyboard by "Customer Administrator" setting. 
  • In addition, it is strongly recommended to change the Customer Admin password to a new one. 

Advisory URL

www.sec-consult.com/vulnerability-lab/

EOF Werner Schober, Johannes Kruchem / @2022 

Interested to work with the experts of SEC Consult? Send us your application

Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices

Back