Path Traversal Bug Besets Popular Kyocera Office Printers

A newly published path traversal vulnerability could enable account takeover, data theft, and follow-on attacks at organizations using Kyocera printers and other multifunction devices.

Kyocera is a Japanese electronics manufacturer known for its multifunction printers. As of 2021 it possessed around 7.8% of the global market share for printers in general, according to data from Statista.

On Dec. 22, the company acknowledged a vulnerability affecting its Device Manager Web application, which IT administrators use to manage one or more Kyocera office devices. And in a blog post published on Jan. 8, researchers from Trustwave Spiderlabs filled in the gaps for the bug they've labeled CVE-2023-50916.

CVE-2023-50916 allows an attacker to funnel Device Manager authentication attempts towards their own malicious server. It has not yet been exploited in the wild, published by MITRE, or scored by the National Vulnerability Database (NVD). "While I'm not sure how they will rank the vulnerability, our expectation is that it will be a Medium severity vulnerability with a CVSS 3.1 base score likely around 5.6," assesses Karl Sigler, senior security research manager with Trustwave SpiderLabs Threat Intelligence.

Kyocera has issued a patch. It did not immediately respond to a request for comment from Dark Reading.

Bug in the Kyocera Device Manager

The issue underlying CVE-2023-50916 has to do with a minor function of the Kyocera Device Manager, which allows admins the ability to configure the backup location of a database used by the app.

Naturally, the app expects to point to a local path — a directory on the local system. But with a Web interception proxy, or simply by sending the request to the application endpoint, an attacker can coerce it into accepting a UNC path instead. (A UNC path specifies a location of a resource on a network.)

An attacker who's set up their own server can intercept the app's attempt at authentication, gaining access to the credentials associated with the higher, service-level process handling all of the Device Manager functionality. Then they can pivot and move laterally through a network.

The issue is abated, in part, by the implicit need for an attacker to already have access to a company's network before attempting the interception.

And the severity of what can be achieved here "really depends on the configuration; how the admins set things up," Sigler explains. "If the service is set up as just a local default, low-access service, the attacker is not going to get much from this attack. There may be additional credentials on that system that they'd be able to access just by accessing that service. But if the service is managed from Active Directory (AD), along with a lot of other service accounts, it may enable access to credentials for AD, and they can continue to expand from there."

For that reason, Sigler highlights the need for companies to properly segment their IT environments.

"If your Kyocera Device Manager is sharing service accounts with your HR database server? That's probably not a good thing," he says.