Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Malware detection

// // //
8/17/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt

Check Point: Fax Machines, Networks Vulnerable to Attack

Researchers for the cybersecurity company found a way to exploit vulnerabilities in the fax system of an HP OfficeJet inkjet all-in-one printer to gain access to all systems on a network.

The fax machine might seem like a relic of the past in this age of instant communication, but fax systems are still in millions of offices as part of connected all-in-one printers, and that connectivity makes these systems another pathway for hackers to get into corporate and consumer networks. Researchers at Check Point put that threat into focus when they took advantage of vulnerabilities in the fax functions of an HP Inc. OfficeJet inkjet printer to gain entrance into other systems on the network.

By sending what the researchers called a "maliciously crafted fax," they were able to exploit several vulnerabilities in the widely-used ITU T.30 fax protocol found in HP's implementation in all of its inkjet printers -- including the Officejet Pro 6830 used in the research -- and take complete control of the machine.

"From that point on, anything was possible," Check Point security researchers Eyal Itkin and Yaniv Balmas wrote in a blog post. "We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax."

The researchers talked about their work at the Def Con 2018 conference. In addition, Check Point notified HP officials about the two vulnerabilities (CVE-2018-5925 and CVE-2018-5924) before announcing the results of the research, enabling the vendor to release patches for both.

At a time when everything from email and text to mobile applications and cloud services dominate our communications methods, it shouldn't be lost on companies that fax machines are not only still around as part of larger systems, but that they're connected both to the corporate network and the outside world.

Itkin and Balmas noted that a Google Search found that there are still more than 300 million fax numbers in use and that all-in-one printers "are then connected both to the internal home or corporate networks through their Ethernet, WiFi, Bluetooth, etc., interfaces. However, in addition they are also connected to a PSTN phone line in order to support the fax functionality that they include."

Particularly in the era of the Internet of Things, companies should be careful not to overlook such machines as printers and other connected devices as they plan out their security environment, according to Joseph Kucic, chief security officer at cybersecurity provider Cavirin. (See DNS Rebinding Attack Could Affect Half a Billion IoT Devices.)

Source: NASA
Source: NASA

"War-dialing was a very common method to find PSTN connections years ago, but it is still an effective method for hackers, as the Check Point Faxploit shows," Kucic told Security Now in an email. "Today, many printers/scannners/multi-use devices also establish Internet outbound connections to be able to receive transmissions. A good cyber posture includes having a holistic view of the entire environment. Many enterprises find that the building/facility security and/or CCTV networks are vulnerable points of entry as they traditionally have not been managed by cybersecurity teams."

The Check Point analysts agreed, saying "this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."

All-in-one printers with fax functions support protocols that conform to the ITU T.30 standard, which details the capabilities required from both the sender and receiver. It also outlines the various phases of the protocol. Usually, but not always, the Officejet printer uses the .TIFF image format when sending a fax.

When the researchers saw they could send a color fax, they learned that the data is received and stored to a .jpg file, giving the researchers control of the entire file. They did this by sending malicious code through the fax, where it eventually was stored in memory.

The next step was getting the color fax printed. Here the researchers found a custom JPEG parser being used instead of the libjpeg standard. It was in the JPEG parser that Itkin and Balmas found the two vulnerabilities.

"From an attacker's point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising," they wrote.

Going from exploiting the vulnerabilities to spreading into the computer network meant using the Eternal Blue and Double Pulsar tools, both of which were developed by the National Security Agency (NSA) and used on the researchers' file-based Turing Machine. With the tools, they were able to infiltrate the systems on the entire network, a move that would give hackers access to sensitive data and files.

"Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol," Itkin and Balmas wrote. "Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer."

Related posts:

— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-3349
PUBLISHED: 2022-09-28
A vulnerability was found in Sony PS4 and PS5. It has been classified as critical. This affects the function UVFAT_readupcasetable of the component exFAT Handler. The manipulation of the argument dataLength leads to heap-based buffer overflow. It is possible to launch the attack on the physical devi...
CVE-2022-40486
PUBLISHED: 2022-09-28
TP Link Archer AX10 V1 Firmware Version 1.3.1 Build 20220401 Rel. 57450(5553) was discovered to allow authenticated attackers to execute arbitrary code via a crafted backup file.
CVE-2022-2760
PUBLISHED: 2022-09-28
In affected versions of Octopus Deploy it is possible to reveal the Space ID of spaces that the user does not have access to view in an error message when a resource is part of another Space.
CVE-2022-30935
PUBLISHED: 2022-09-28
An authorization bypass in b2evolution allows remote, unauthenticated attackers to predict password reset tokens for any user through the use of a bad randomness function. This allows the attacker to get valid sessions for arbitrary users, and optionally reset their password. Tested and confirmed in...
CVE-2022-32166
PUBLISHED: 2022-09-28
In ovs versions v0.90.0 through v2.5.0 are vulnerable to heap buffer over-read in flow.c. An unsafe comparison of “minimasks� function could lead access to an unmapped region of memory. This vulnerability is capable of crashing the software, memory modification...