Source: Rapid7
Rapid7 researchers have discovered vulnerabilities in Xerox Versalink C7025 multifunction printers that could allow attackers to steal user credentials. The vulnerabilities, identified as CVE-2024-12510 and CVE-2024-12511, enable what’s known as a “pass-back attack,” where the printer is tricked into sending authentication data back to the attacker.
The Xerox Versalink C7025 is a popular enterprise-grade printer offering print, copy, scan, fax, and email capabilities. The vulnerabilities affect devices running firmware version 57.69.91 and earlier.
“This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor,” the Rapid7 report explains.
Attackers can exploit these vulnerabilities to capture credentials for services like LDAP, SMB, and FTP. This could allow them to gain access to sensitive information or even move laterally within an organization’s network to compromise other systems.
The attacker needs access to the printer’s admin account or physical access to the printer console. They can then modify the printer’s configuration to redirect authentication requests to a server under their control. When a user attempts to authenticate with a service like LDAP or SMB, the printer unknowingly sends their credentials to the attacker’s server.
Xerox has released firmware updates to address these vulnerabilities. Organizations using affected Versalink printers are strongly advised to upgrade to the latest patched version as soon as possible.
As a temporary mitigation, Rapid7 recommends setting a complex password for the admin account and avoiding the use of Windows authentication accounts with elevated privileges for services like LDAP and SMB. Disabling the remote-control console for unauthenticated users is also recommended.
