Vulnerabilities / Threats
11/28/2012
02:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Samsung Printers Have Hidden Security Risk

Some Samsung printers, and Dell-branded printers manufactured by Samsung, can be remotely accessed by attackers. Here's how.

Some Samsung printers and Dell-branded printers manufactured by Samsung are vulnerable to being taken over remotely by an attacker.

That warning was made Monday by the U.S. Computer Emergency Readiness Team (CERT), which said that the affected printers "contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP, or simple network management protocol, is a TCP/IP-based network protocol used to manage and monitor network device configuration.

[ Hackers stole financial and other sensitive information from compromised state system. Read about it at How South Carolina Failed To Spot Hack Attack. ]

As a result of the vulnerability, "a remote, unauthenticated attacker could access an affected device with administrative privileges," according to the CERT information security advisory. "Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information -- e.g. device and network information, credentials, and information passed to the printer -- and the ability to leverage further attacks through arbitrary code execution." That means that after accessing the administrator account, attackers could theoretically transform the printer into a malware-spewing attack platform that's able to target any other network-connected device located inside the same network segment or firewall.

Samsung has acknowledged the vulnerability and promised to release a patch within days. "Samsung is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email. "We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability. Samsung is committed to releasing updated firmware for all current models by November 30, with all other models receiving an update by the end of the year. However, for customers that are concerned, we encourage them to disable SNMPv1.2 or use the secure SNMPv3 mode until the firmware updates are made."

Samsung has yet to release full details about exactly which printer models and firmware versions are affected. But it did say that no Samsung and Dell printers released from November 1, 2012 and later contain the vulnerability.

Both Samsung and Dell were advised of the firmware vulnerability on August 23, 2012, by security researcher Neil Smith, who Tuesday published further details of the vulnerability. According to Smith, Samsung has now removed all downloadable versions of its printer firmware from its support pages, but he noted that samples of the affected firmware are still available from the Dell support site. That particular printer firmware installer is named "Dell2335dn_A11_v2.70.06.21.exe." In a Twitter post, Smith suggested that Korea-based Samsung moved less than quickly to address the flaw. "It's been frustrating working with samsung. Internal ITsec at S confirmed it. Kr:HQ pulled them off. CERT pubd and so did I," he said.

The Samsung vulnerability warning is a reminder that printers -- among other network-connected devices, such as home security webcams -- may contain embedded Web servers that may be permanently enabled. One security best practice, according to the CERT advisory, is to allow connections only from trusted hosts and networks to any network-connected peripheral, and that's one temporary workaround for any organization that currently uses a Samsung or Dell network-connected printer. "Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location," noted CERT.

Another risk from attackers being able to remotely access a Web-connected printer is corporate espionage. According to research released last year by Michael Sutton, VP of security research for Web security firm Zscaler Labs, he was able to fingerprint, or identify, one million Internet-connected systems. Many of those systems were embedded Web servers inside Web-connected photocopiers, scanners, and VoIP systems and weren't secured in any manner, such as requiring a username or password. As a result, Sutton was able to freely download numerous types of documents stored on the Internet-connected devices.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Zod
50%
50%
Zod,
User Rank: Apprentice
2/5/2013 | 12:28:13 AM
re: Samsung Printers Have Hidden Security Risk
"contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP"

and

"The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email."

So? Which is it? Samsung says that if you disable SNMP, the exploit is invalid....the exploit says that even *IF* SNMP is turned off, the exploit is still valid!
This is conflicting information that makes this article confusing....why didn't the writer of this article hold Reuben's feet to the fire for making this statement? I mean, if he made this statement in error, this shows a complete lack of understanding by Samsung and shows that their SAFE endevour is nothing more than advertising hype.
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-6306
Published: 2014-08-22
Unspecified vulnerability on IBM Power 7 Systems 740 before 740.70 01Ax740_121, 760 before 760.40 Ax760_078, and 770 before 770.30 01Ax770_062 allows local users to gain Service Processor privileges via unknown vectors.

CVE-2014-0232
Published: 2014-08-22
Multiple cross-site scripting (XSS) vulnerabilities in framework/common/webcommon/includes/messages.ftl in Apache OFBiz 11.04.01 before 11.04.05 and 12.04.01 before 12.04.04 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, which are not properly handled in a (1)...

CVE-2014-3525
Published: 2014-08-22
Unspecified vulnerability in Apache Traffic Server 4.2.1.1 and 5.x before 5.0.1 has unknown impact and attack vectors, possibly related to health checks.

CVE-2014-3563
Published: 2014-08-22
Multiple unspecified vulnerabilities in Salt (aka SaltStack) before 2014.1.10 allow local users to have an unspecified impact via vectors related to temporary file creation in (1) seed.py, (2) salt-ssh, or (3) salt-cloud.

CVE-2014-3587
Published: 2014-08-22
Integer overflow in the cdf_read_property_info function in cdf.c in file through 5.19, as used in the Fileinfo component in PHP before 5.4.32 and 5.5.x before 5.5.16, allows remote attackers to cause a denial of service (application crash) via a crafted CDF file. NOTE: this vulnerability exists bec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Three interviews on critical embedded systems and security, recorded at Black Hat 2014 in Las Vegas.