Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Malware detection

8/17/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Check Point: Fax Machines, Networks Vulnerable to Attack

Researchers for the cybersecurity company found a way to exploit vulnerabilities in the fax system of an HP OfficeJet inkjet all-in-one printer to gain access to all systems on a network.

The fax machine might seem like a relic of the past in this age of instant communication, but fax systems are still in millions of offices as part of connected all-in-one printers, and that connectivity makes these systems another pathway for hackers to get into corporate and consumer networks. Researchers at Check Point put that threat into focus when they took advantage of vulnerabilities in the fax functions of an HP Inc. OfficeJet inkjet printer to gain entrance into other systems on the network.

By sending what the researchers called a "maliciously crafted fax," they were able to exploit several vulnerabilities in the widely-used ITU T.30 fax protocol found in HP's implementation in all of its inkjet printers -- including the Officejet Pro 6830 used in the research -- and take complete control of the machine.

"From that point on, anything was possible," Check Point security researchers Eyal Itkin and Yaniv Balmas wrote in a blog post. "We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax."

The researchers talked about their work at the Def Con 2018 conference. In addition, Check Point notified HP officials about the two vulnerabilities (CVE-2018-5925 and CVE-2018-5924) before announcing the results of the research, enabling the vendor to release patches for both.

At a time when everything from email and text to mobile applications and cloud services dominate our communications methods, it shouldn't be lost on companies that fax machines are not only still around as part of larger systems, but that they're connected both to the corporate network and the outside world.

Itkin and Balmas noted that a Google Search found that there are still more than 300 million fax numbers in use and that all-in-one printers "are then connected both to the internal home or corporate networks through their Ethernet, WiFi, Bluetooth, etc., interfaces. However, in addition they are also connected to a PSTN phone line in order to support the fax functionality that they include."

Particularly in the era of the Internet of Things, companies should be careful not to overlook such machines as printers and other connected devices as they plan out their security environment, according to Joseph Kucic, chief security officer at cybersecurity provider Cavirin. (See DNS Rebinding Attack Could Affect Half a Billion IoT Devices.)

Source: NASA
Source: NASA

"War-dialing was a very common method to find PSTN connections years ago, but it is still an effective method for hackers, as the Check Point Faxploit shows," Kucic told Security Now in an email. "Today, many printers/scannners/multi-use devices also establish Internet outbound connections to be able to receive transmissions. A good cyber posture includes having a holistic view of the entire environment. Many enterprises find that the building/facility security and/or CCTV networks are vulnerable points of entry as they traditionally have not been managed by cybersecurity teams."

The Check Point analysts agreed, saying "this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."

All-in-one printers with fax functions support protocols that conform to the ITU T.30 standard, which details the capabilities required from both the sender and receiver. It also outlines the various phases of the protocol. Usually, but not always, the Officejet printer uses the .TIFF image format when sending a fax.

When the researchers saw they could send a color fax, they learned that the data is received and stored to a .jpg file, giving the researchers control of the entire file. They did this by sending malicious code through the fax, where it eventually was stored in memory.

The next step was getting the color fax printed. Here the researchers found a custom JPEG parser being used instead of the libjpeg standard. It was in the JPEG parser that Itkin and Balmas found the two vulnerabilities.

"From an attacker's point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising," they wrote.

Going from exploiting the vulnerabilities to spreading into the computer network meant using the Eternal Blue and Double Pulsar tools, both of which were developed by the National Security Agency (NSA) and used on the researchers' file-based Turing Machine. With the tools, they were able to infiltrate the systems on the entire network, a move that would give hackers access to sensitive data and files.

"Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol," Itkin and Balmas wrote. "Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer."

Related posts:

— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
News
US Formally Attributes SolarWinds Attack to Russian Intelligence Agency
Jai Vijayan, Contributing Writer,  4/15/2021
News
Dependency Problems Increase for Open Source Components
Robert Lemos, Contributing Writer,  4/14/2021
News
FBI Operation Remotely Removes Web Shells From Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/14/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27400
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise Cassandra integrations (storage backend and database secrets engine plugin) did not validate TLS certificates when connecting to Cassandra clusters. Fixed in 1.6.4 and 1.7.1
CVE-2021-29653
PUBLISHED: 2021-04-22
HashiCorp Vault and Vault Enterprise 1.5.1 and newer, under certain circumstances, may exclude revoked but unexpired certificates from the CRL. Fixed in 1.5.8, 1.6.4, and 1.7.1.
CVE-2021-30476
PUBLISHED: 2021-04-22
HashiCorp Terraform’s Vault Provider (terraform-provider-vault) did not correctly configure GCE-type bound labels for Vault’s GCP auth method. Fixed in 2.19.1.
CVE-2021-22540
PUBLISHED: 2021-04-22
Bad validation logic in the Dart SDK versions prior to 2.12.3 allow an attacker to use an XSS attack via DOM clobbering. The validation logic in dart:html for creating DOM nodes from text did not sanitize properly when it came across template tags.
CVE-2021-27736
PUBLISHED: 2021-04-22
FusionAuth fusionauth-samlv2 before 0.5.4 allows XXE attacks via a forged AuthnRequest or LogoutRequest because parseFromBytes uses javax.xml.parsers.DocumentBuilderFactory unsafely.