Security vulnerabilities have been disclosed in Xerox VersaLink C7025 Multifunction printers (MFPs) that could allow attackers to capture authentication credentials via pass-back attacks via Lightweight Directory Access Protocol (LDAP) and SMB/FTP services.
“This pass-back style attack leverages a vulnerability that allows a malicious actor to alter the MFP’s configuration and cause the MFP device to send authentication credentials back to the malicious actor,” Rapid7 security researcher Deral Heiland said.
“If a malicious actor can successfully leverage these issues, it would allow them to capture credentials for Windows Active Directory. This means they could then move laterally within an organization’s environment and compromise other critical Windows servers and file systems.”
The identified vulnerabilities, which affect firmware versions 57.69.91 and earlier, are listed below –
Successful exploitation of CVE-2024-12510 could allow authentication information to be redirected to a rogue server, potentially exposing credentials. This, however, requires an attacker to gain access to the LDAP configuration page and that LDAP is used for authentication.
CVE-2024-12511, likewise, allows a malicious actor to gain access to the user address book configuration to modify the SMB or FTP server’s IP address and make it point to a host under their control, causing SMB or FTP authentication credentials to be captured during file scan operations.
“For this attack to be successful, the attacker requires an SMB or FTP scan function to be configured within the user’s address book, as well as physical access to the printer console or access to remote-control console via the web interface,” Heiland noted. “This may require admin access unless user level access to the remote-control console has been enabled.”
Following responsible disclosure on March 26, 2024, the vulnerabilities were addressed as part of Service Pack 57.75.53 released late last month for VersaLink C7020, 7025, and 7030 series printers.
If immediate patching is not an option, users are recommended to set a complex password for the admin account, avoid using Windows authentication accounts that have elevated privileges, and disable the remote-control console for unauthenticated users.
The development comes as Specular founder and CEO Peyton Smith detailed an unauthenticated SQL injection vulnerability affecting a widely deployed healthcare software named HealthStream MSOW (CVE-2024-56735) that could lead to a full database compromise, allowing threat actors to access sensitive data of 23 healthcare organizations from the public internet.
The company said it identified 50 instances of internet-exposed MSOW instances, of which 23 are susceptible to security shortcomings.
The vulnerability could allow “the entire database could be returned in-band, meaning an attacker could retrieve the plaintext database contents in a HTTP response from a crafted SQL injection HTTP payload,” Smith said.
