Vulnerabilities / Threats
11/28/2012
02:30 PM
50%
50%

Samsung Printers Have Hidden Security Risk

Some Samsung printers, and Dell-branded printers manufactured by Samsung, can be remotely accessed by attackers. Here's how.

Some Samsung printers and Dell-branded printers manufactured by Samsung are vulnerable to being taken over remotely by an attacker.

That warning was made Monday by the U.S. Computer Emergency Readiness Team (CERT), which said that the affected printers "contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP, or simple network management protocol, is a TCP/IP-based network protocol used to manage and monitor network device configuration.

[ Hackers stole financial and other sensitive information from compromised state system. Read about it at How South Carolina Failed To Spot Hack Attack. ]

As a result of the vulnerability, "a remote, unauthenticated attacker could access an affected device with administrative privileges," according to the CERT information security advisory. "Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information -- e.g. device and network information, credentials, and information passed to the printer -- and the ability to leverage further attacks through arbitrary code execution." That means that after accessing the administrator account, attackers could theoretically transform the printer into a malware-spewing attack platform that's able to target any other network-connected device located inside the same network segment or firewall.

Samsung has acknowledged the vulnerability and promised to release a patch within days. "Samsung is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email. "We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability. Samsung is committed to releasing updated firmware for all current models by November 30, with all other models receiving an update by the end of the year. However, for customers that are concerned, we encourage them to disable SNMPv1.2 or use the secure SNMPv3 mode until the firmware updates are made."

Samsung has yet to release full details about exactly which printer models and firmware versions are affected. But it did say that no Samsung and Dell printers released from November 1, 2012 and later contain the vulnerability.

Both Samsung and Dell were advised of the firmware vulnerability on August 23, 2012, by security researcher Neil Smith, who Tuesday published further details of the vulnerability. According to Smith, Samsung has now removed all downloadable versions of its printer firmware from its support pages, but he noted that samples of the affected firmware are still available from the Dell support site. That particular printer firmware installer is named "Dell2335dn_A11_v2.70.06.21.exe." In a Twitter post, Smith suggested that Korea-based Samsung moved less than quickly to address the flaw. "It's been frustrating working with samsung. Internal ITsec at S confirmed it. Kr:HQ pulled them off. CERT pubd and so did I," he said.

The Samsung vulnerability warning is a reminder that printers -- among other network-connected devices, such as home security webcams -- may contain embedded Web servers that may be permanently enabled. One security best practice, according to the CERT advisory, is to allow connections only from trusted hosts and networks to any network-connected peripheral, and that's one temporary workaround for any organization that currently uses a Samsung or Dell network-connected printer. "Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location," noted CERT.

Another risk from attackers being able to remotely access a Web-connected printer is corporate espionage. According to research released last year by Michael Sutton, VP of security research for Web security firm Zscaler Labs, he was able to fingerprint, or identify, one million Internet-connected systems. Many of those systems were embedded Web servers inside Web-connected photocopiers, scanners, and VoIP systems and weren't secured in any manner, such as requiring a username or password. As a result, Sutton was able to freely download numerous types of documents stored on the Internet-connected devices.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Zod
50%
50%
Zod,
User Rank: Apprentice
2/5/2013 | 12:28:13 AM
re: Samsung Printers Have Hidden Security Risk
"contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP"

and

"The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email."

So? Which is it? Samsung says that if you disable SNMP, the exploit is invalid....the exploit says that even *IF* SNMP is turned off, the exploit is still valid!
This is conflicting information that makes this article confusing....why didn't the writer of this article hold Reuben's feet to the fire for making this statement? I mean, if he made this statement in error, this shows a complete lack of understanding by Samsung and shows that their SAFE endevour is nothing more than advertising hype.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?