Security researchers have been able to exploit vulnerabilities on all-in-one printers by sending a malicious fax, enabling then to infiltrate corporate networks.
The vulnerabilities were discovered by Check Point in a common implementation of the fax protocol, using HP Officejet all-in-one printers. HP has since released a patch after working with the security firm, but the issue could persist on other machines.
Check Point claimed that the issue is critical given that faxes are still widely in use: a cursory internet search apparently yielded hundreds of millions of numbers.
The attack could enable hackers to infiltrate corporate networks or use the connected printer to remotely steal sensitive documents, mine Bitcoin or carry out other nefarious tasks.
“Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer,” the vendor claimed.
“We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.”
The research team revealed two vulnerabilities discovered in the course of the research: CVE-2018-5925 – buffer-overflow while parsing COM markers – and CVE-2018-5924 – stack-based buffer-overflow while parsing DHT markers.
The white hats used the latter in their actual attack as it was easier to exploit. Infamous NSA exploits Eternal Blue and Double Pulsar were then used to autonomously spread the payload over a connected network.
However, not everyone was convinced about the seriousness of the implications. ThinkMarble Red Team leader, Tom B, claimed that there are several barriers for malicious attackers.
“First of all, receiving a fax is essentially like receiving a telephone call — they are generally traceable. Furthermore, phone calls also cost money. Phoning millions of fax machines to find a vulnerable model is expensive, and this will dissuade the common cyber-criminal,” he explained.
“Even where cost and traceability are not an issue, faxes take a relatively long time to come through. Sending a malicious fax to millions of fax machines with the hope of finding a vulnerable model, would take a very long time.”
Even in a highly targeted attack the attacker would first need the model number of a machine and details of a working exploit to succeed.
“Once crafted, there would be no guarantees that the payload would not simply crash the device instead of executing the code,” he argued.
The best way to keep fax machines and printers secure is to ensure they’re regularly patched and updated, he concluded.