Vulnerabilities / Threats
11/28/2012
02:30 PM
Connect Directly
RSS
E-Mail
50%
50%

Samsung Printers Have Hidden Security Risk

Some Samsung printers, and Dell-branded printers manufactured by Samsung, can be remotely accessed by attackers. Here's how.

Some Samsung printers and Dell-branded printers manufactured by Samsung are vulnerable to being taken over remotely by an attacker.

That warning was made Monday by the U.S. Computer Emergency Readiness Team (CERT), which said that the affected printers "contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP, or simple network management protocol, is a TCP/IP-based network protocol used to manage and monitor network device configuration.

[ Hackers stole financial and other sensitive information from compromised state system. Read about it at How South Carolina Failed To Spot Hack Attack. ]

As a result of the vulnerability, "a remote, unauthenticated attacker could access an affected device with administrative privileges," according to the CERT information security advisory. "Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information -- e.g. device and network information, credentials, and information passed to the printer -- and the ability to leverage further attacks through arbitrary code execution." That means that after accessing the administrator account, attackers could theoretically transform the printer into a malware-spewing attack platform that's able to target any other network-connected device located inside the same network segment or firewall.

Samsung has acknowledged the vulnerability and promised to release a patch within days. "Samsung is aware of and has resolved the security issue affecting Samsung network printers and multifunction devices. The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email. "We take all matters of security very seriously and we are not aware of any customers who have been affected by this vulnerability. Samsung is committed to releasing updated firmware for all current models by November 30, with all other models receiving an update by the end of the year. However, for customers that are concerned, we encourage them to disable SNMPv1.2 or use the secure SNMPv3 mode until the firmware updates are made."

Samsung has yet to release full details about exactly which printer models and firmware versions are affected. But it did say that no Samsung and Dell printers released from November 1, 2012 and later contain the vulnerability.

Both Samsung and Dell were advised of the firmware vulnerability on August 23, 2012, by security researcher Neil Smith, who Tuesday published further details of the vulnerability. According to Smith, Samsung has now removed all downloadable versions of its printer firmware from its support pages, but he noted that samples of the affected firmware are still available from the Dell support site. That particular printer firmware installer is named "Dell2335dn_A11_v2.70.06.21.exe." In a Twitter post, Smith suggested that Korea-based Samsung moved less than quickly to address the flaw. "It's been frustrating working with samsung. Internal ITsec at S confirmed it. Kr:HQ pulled them off. CERT pubd and so did I," he said.

The Samsung vulnerability warning is a reminder that printers -- among other network-connected devices, such as home security webcams -- may contain embedded Web servers that may be permanently enabled. One security best practice, according to the CERT advisory, is to allow connections only from trusted hosts and networks to any network-connected peripheral, and that's one temporary workaround for any organization that currently uses a Samsung or Dell network-connected printer. "Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location," noted CERT.

Another risk from attackers being able to remotely access a Web-connected printer is corporate espionage. According to research released last year by Michael Sutton, VP of security research for Web security firm Zscaler Labs, he was able to fingerprint, or identify, one million Internet-connected systems. Many of those systems were embedded Web servers inside Web-connected photocopiers, scanners, and VoIP systems and weren't secured in any manner, such as requiring a username or password. As a result, Sutton was able to freely download numerous types of documents stored on the Internet-connected devices.

Building a more robust network vulnerability management program can help you identify security holes before an attacker does, as well as develop more secure systems and applications in the future. In the A Guide To Network Vulnerability Management report, we examine the products and practices that will get you there. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Zod
50%
50%
Zod,
User Rank: Apprentice
2/5/2013 | 12:28:13 AM
re: Samsung Printers Have Hidden Security Risk
"contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility." In other words, the printers have a hardcoded account in their firmware that can't be disabled by users. SNMP"

and

"The issue affects devices only when SNMP is enabled, and is resolved by disabling SNMP," said Samsung spokesman Reuben Staines via email."

So? Which is it? Samsung says that if you disable SNMP, the exploit is invalid....the exploit says that even *IF* SNMP is turned off, the exploit is still valid!
This is conflicting information that makes this article confusing....why didn't the writer of this article hold Reuben's feet to the fire for making this statement? I mean, if he made this statement in error, this shows a complete lack of understanding by Samsung and shows that their SAFE endevour is nothing more than advertising hype.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-0985
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName parameter.

CVE-2014-0986
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the GotoCmd parameter.

CVE-2014-0987
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the NodeName2 parameter.

CVE-2014-0988
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode parameter.

CVE-2014-0989
Published: 2014-09-20
Stack-based buffer overflow in Advantech WebAccess (formerly BroadWin WebAccess) 7.2 allows remote attackers to execute arbitrary code via the AccessCode2 parameter.

Best of the Web
Dark Reading Radio