Vulnerabilities / Threats
11/28/2012
02:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Samsung Printers Have Hidden Security Risk

Some Samsung printers, and Dell-branded printers manufactured by Samsung, can be remotely accessed by attackers. Here's how.

Some Samsung printers and Dell-branded printers manufactured by Samsung are vulnerable to being taken over remotely by an attacker.

That warning was made Monday by the U.S. Computer Emergency Readiness Team (CERT), which said that the affected printers "contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP, or simple network management protocol, is a TCP/IP-based network protocol used to manage and monitor network device configuration.

[ Hackers stole financial and other sensitive information from compromised state system. Read about it at How South Carolina Failed To Spot Hack Attack. ]

As a result of the vulnerability, "a remote, unauthenticated attacker could access an affected device with administrative privileges," according to the CERT information security advisory. "Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information -- e.g. device and network information, credentials, and information passed to the printer -- and the ability to leverage further attacks through arbitrary code execution." That means that after accessing the administrator account, attackers could theoretically transform the printer into a malware-spewing attack platform that's able to target any other network-connected device located inside the same network segment or firewall.

Samsung has acknowledged the vulnerability and promised to release a patch within days. "Samsung is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email. "We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability. Samsung is committed to releasing updated firmware for all current models by November 30, with all other models receiving an update by the end of the year. However, for customers that are concerned, we encourage them to disable SNMPv1.2 or use the secure SNMPv3 mode until the firmware updates are made."

Samsung has yet to release full details about exactly which printer models and firmware versions are affected. But it did say that no Samsung and Dell printers released from November 1, 2012 and later contain the vulnerability.

Both Samsung and Dell were advised of the firmware vulnerability on August 23, 2012, by security researcher Neil Smith, who Tuesday published further details of the vulnerability. According to Smith, Samsung has now removed all downloadable versions of its printer firmware from its support pages, but he noted that samples of the affected firmware are still available from the Dell support site. That particular printer firmware installer is named "Dell2335dn_A11_v2.70.06.21.exe." In a Twitter post, Smith suggested that Korea-based Samsung moved less than quickly to address the flaw. "It's been frustrating working with samsung. Internal ITsec at S confirmed it. Kr:HQ pulled them off. CERT pubd and so did I," he said.

The Samsung vulnerability warning is a reminder that printers -- among other network-connected devices, such as home security webcams -- may contain embedded Web servers that may be permanently enabled. One security best practice, according to the CERT advisory, is to allow connections only from trusted hosts and networks to any network-connected peripheral, and that's one temporary workaround for any organization that currently uses a Samsung or Dell network-connected printer. "Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location," noted CERT.

Another risk from attackers being able to remotely access a Web-connected printer is corporate espionage. According to research released last year by Michael Sutton, VP of security research for Web security firm Zscaler Labs, he was able to fingerprint, or identify, one million Internet-connected systems. Many of those systems were embedded Web servers inside Web-connected photocopiers, scanners, and VoIP systems and weren't secured in any manner, such as requiring a username or password. As a result, Sutton was able to freely download numerous types of documents stored on the Internet-connected devices.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Zod
50%
50%
Zod,
User Rank: Apprentice
2/5/2013 | 12:28:13 AM
re: Samsung Printers Have Hidden Security Risk
"contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP"

and

"The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email."

So? Which is it? Samsung says that if you disable SNMP, the exploit is invalid....the exploit says that even *IF* SNMP is turned off, the exploit is still valid!
This is conflicting information that makes this article confusing....why didn't the writer of this article hold Reuben's feet to the fire for making this statement? I mean, if he made this statement in error, this shows a complete lack of understanding by Samsung and shows that their SAFE endevour is nothing more than advertising hype.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.