"Since LDAP and SMB settings on MFP devices typically contain Windows Active Directory credentials, a successful attack would give a malicious actor access to Windows file services, domain information, email accounts, and database systems," Heiland says. In certain situations, a malicious actor who successfully exploits the Xerox printer vulnerabilities would be able to capture credentials for Windows Active Directory, according to researchers at Rapid7 who discovered the flaws. A popular small to midrange Xerox business printer contains two now-patched vulnerabilities in its firmware that allow attackers an opportunity to gain full access to an organization's Windows environment. Organizations that cannot immediately patch should set a "complex password for the admin account and also avoid using Windows authentication accounts that have elevated privileges, such as a Domain Admin account for LDAP or scan-to-file SMB services," according to the Rapid7 blog post. "Sadly," he adds, "it's also not uncommon to find LDAP settings on MFP devices that contain Domain Admin credentials," which potentially could give a bad actor complete control of an organization's Windows environment. All it takes for an attacker to discover a vulnerable printer is to connect to an affected Xerox MFP device through a Web browser, validate that the default password is still enabled, and ensure that the device is configured for LDAP and/or SMB services, Heiland tells Dark Reading. The two vulnerabilities that Rapid7 discovered in the printer, and which Xerox has since fixed, are CVE-2024-12510 (CVSS score: 6.7), an LDAP pass-back vulnerability; and CVE-2024-12511 (CVSS score: 7.6) an SMB/FTP pass-back vulnerability. Among other things, the technology includes security features that, according to Xerox, help prevent attacks, detect potentially malicious changes to the printer, and protect against unauthorized transmission of critical data. "This means they could then move laterally within an organization's environment and compromise other critical Windows servers and file systems," Deral Heiland, principal security researcher, IoT, for Rapid7 wrote in a recent blog post. The risk for organizations is that if a malicious actor were to gain any level of access to a business network, they could use the pass-back attack to easily harvest Active Directory credentials without being detected, he says. The attack would work if a vulnerable Xerox VersaLink C7025 printer is configured for LDAP and/or SMB services. The vulnerabilities, according to Rapid7, allow an attacker to change the MFP's configuration so as to cause the printer to send a user's authentication credentials to an attacker-controlled system. In such a situation, CVE-2024-12510 would allow an attacker to access the MFP's LDAP configuration page and change the LDAP server IP address in the printer's settings to point to their own malicious LDAP server. Xerox describes VersaLink C7025 as a multifunction printer featuring ConnectKey, a Xerox technology that allows customers to interact with the printers over the cloud and via mobile devices. But for those who can, the LDAP vulnerability enables access to Windows Active Directory where all administrator profiles and credentials reside.
This Cyber News was published on www.darkreading.com. Publication date: Tue, 18 Feb 2025 22:30:07 +0000