Rapid7 conducted a zero-day research project into multifunction printers (MFP) from Brother Industries, Ltd. This research resulted in the discovery of 8 new vulnerabilities. Some or all of these vulnerabilities have been identified as affecting 689 models across Brother’s range of printer, scanner, and label maker devices. Additionally, 46 printer models from FUJIFILM Business Innovation, 5 printer models from Ricoh, 2 printer models from Toshiba Tec Corporation, and 6 models from Konica Minolta, Inc. are affected by some or all of these vulnerabilities. In total, 748 models across 5 vendors are affected. Rapid7, in conjunction with JPCERT/CC, has worked with Brother over the last thirteen months to coordinate the disclosure of these vulnerabilities.
The most serious of the findings is the authentication bypass CVE-2024-51978. A remote unauthenticated attacker can leak the target device’s serial number through one of several means, and in turn generate the target device’s default administrator password. This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device’s unique serial number, during the manufacturing process. Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models. Only affected models that are made via this new manufacturing process will be fully remediated against CVE-2024-51978. For all affected models made via the old manufacturing process, Brother has provided a workaround.
A summary of the 8 vulnerabilities is shown below:
CVE Description Affected Service CVSS CVE-2024-51977 An unauthenticated attacker can leak sensitive information. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 5.3 (Medium) CVE-2024-51978 An unauthenticated attacker can generate the device’s default administrator password. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 9.8 (Critical) CVE-2024-51979 An authenticated attacker can trigger a stack based buffer overflow. HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) 7.2 (High) CVE-2024-51980 An unauthenticated attacker can force the device to open a TCP connection. Web Services over HTTP (Port 80) 5.3 (Medium) CVE-2024-51981 An unauthenticated attacker can force the device to perform an arbitrary HTTP request. Web Services over HTTP (Port 80) 5.3 (Medium) CVE-2024-51982 An unauthenticated attacker can crash the device. PJL (Port 9100) 7.5 (High) CVE-2024-51983 An unauthenticated attacker can crash the device. Web Services over HTTP (Port 80) 7.5 (High) CVE-2024-51984 An authenticated attacker can disclose the password of a configured external service. LDAP, FTP 6.8 (Medium) [….]
Source: Multiple Brother Devices: Multiple Vulnerabilities (FIXED) – Rapid7 Blog
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft