Critical Bugs in Canon Small Office Printers Allow Code Execution, DDoS

Canon has patched seven critical buffer-overflow bugs affecting its small office multifunction printers and laser printers.

Tracked as CVE-2023-6229 through CVE-2023-6234 (plus CVE-2024-0244), they affect different processes common across Canon's product lines – the username or password process involved with authenticating mobile devices, for example, the Service Location Protocol (SLP) attribute request process, and more.

The company assigned them all "critical" 9.8 out of 10 ratings on the Common Vulnerability Scoring System (CVSS) scale. As explained in a security advisory, they can allow unauthenticated attackers to remotely perform denial of service (DoS) or arbitrary code execution against any affected printers connected directly to the Internet. They also offer a handy pivot point to burrow deeper into victim networks.

No exploitations have been observed in the wild as of yet, according to the company's European site, but owners should scan for indicators of compromise given that the bugs have been publicly known but unpatched for months.

Hard to Handle: The Problem With Printer Security

The seven vulnerabilities patched on Feb. 5 were revealed alongside dozens of others at Pwn2Own Toronto's SOHO Smashup last summer, where contestants were invited to breach routers and then the small office/home office (SOHO) devices they connect to.

Printers, so rarely recognized as fertile grounds for cyberattacks, were given their own category at the event.

"It's a pretty large attack surface right now that's often overlooked, especially in small businesses, because it's hard to manage from an enterprise level," explains Dustin Childs, head of threat awareness for Trend Micro's Zero Day Initiative (ZDI), which runs the Pwn2Own hacking contest. "I mean, it's not like printers have automatic updates or other features that you can use to manage them cleanly and easily."

He adds, "printers have always been kind of notorious for being finicky. You can go back to Office Space — one of the big scenes where they took a baseball bat to the printer. It's a joke, but it's a joke that's based in reality. These things are difficult to manage. The drivers are difficult to manage. And there's a lot of problematic software on them."

As a result, an old office printer — connected to other, more sensitive devices in a small or midsized business (SMB) network — tends to be rather trivial to crack.

"I was a little shocked with how little they had to work on it to find really workable exploits," Childs recalls of Pwn2Own Toronto. As a case in point: "Last year somebody played the Mario theme on a printer. And he said it took him longer to figure out how to play the Mario theme than to exploit the printer."

What SMBs Can Do About Printer Security Chaos

Beyond the obvious step of updating to the latest firmware, Canon is advising its customers to "set a private IP address for the products and create a network environment with a firewall or wired/Wi-Fi router that can restrict network access."

The advice speaks to a larger point: that even if printers are thick and unwieldy, what's manageable is their connectivity.

"It used to be that there were, believe it or not, Internet-addressable printers. What businesses have done is they've gotten printers off the Internet, which is a change over the last decade. Now we've got them behind at least a firewall, or router, or something," Childs explains.

However, he adds, "as we've seen with PrintNightmare and other printer-based exploits, you can get past that firewall and then attack a printer, then pivot from that to other targets within an enterprise." To prevent a printer compromise from reaching further into a network, SMBs need to focus on properly segmenting different areas of their networks.

The best way to protect the printers themselves, meanwhile, is to patch. As Childs recalls, "I can't tell you how many times I've heard of printers that were exploited that were three or four updates behind."