Technical Advisory: Multiple Vulnerabilities in Brother Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers.
The vulnerability list below was found affecting to several Brother printers:
- Stack Buffer Overflow in Cookie Values (CVE-2019-13193)
- Heap Overflow in IPP Attribute Name (CVE-2019-13192)
- Information Disclosure Vulnerability (CVE-2019-13194)
Technical Advisories:
Stack Buffer Overflow in Cookie Values (CVE-2019-13193)
Vendor: Brother Vendor URL: https://global.brother/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13193 Risk: 8.8 CVSSv3
Summary
Some Brother printers were affected by a stack buffer overflow vulnerability that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
A specially crafted request to the web server will cause a vulnerable device to crash. A stack buffer overflow has been identified in the way of how the embedded web server parsed the cookie values. This would allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| BROTHER Models | Affected Releases | Fixed Releases |
| Brother HL-L8360CDW | Main Firmware: v1.20 | Main Firmware: v1.34 |
| others * | – | – |
- Full list (around 300 models/versions) of affected models: https://support.brother.com/g/s/id/security/CVE-2019-13192-13194.pdf
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process.
2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references)
2019-07-04: CVEs request (CVE-2019-13193)
2019-07-31: Brother firmware update released (for the rest of the models affected)
2019-07-31: Brother advisory released
2019-08-08: NCC Group advisory released
References
Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375
Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000
CVE-2019-13193:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13193
Heap Overflow in IPP Attribute Name (CVE-2019-13192)
Vendor: Brother Vendor URL: https://global.brother/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13192 Risk: 9.8 CVSSv3
Summary
Some Brother printers were affected by a heap buffer overflow vulnerability that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
A specially crafted request to the IPP service will cause a vulnerable device to crash. A heap buffer overflow has been identified in the way of how attribute names were parsed by the IPP service. This would allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| BROTHER Models | Affected Releases | Fixed Releases |
| Brother HL-L8360CDW | Main Firmware: v1.20 | Main Firmware: v1.34 |
| others * | – | – |
- Full list (around 300 models/versions) of affected models: https://support.brother.com/g/s/id/security/CVE-2019-13192-13194.pdf
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process. 2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references) 2019-07-04: CVEs request (CVE-2019-13192) 2019-07-31: Brother firmware update released (for the rest of the models affected) 2019-07-31: Brother advisory released 2019-08-08: NCC Group advisory released
References
Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375
Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000
CVE-2019-13192:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13192
Information Disclosure Vulnerability (CVE-2019-13194)
Vendor: Brother Vendor URL: https://global.brother/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13194 Risk: 7.5 CVSSv3
Summary
Some Brother printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.
Impact
Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.
Details
Brother printers were found having several operational and configuration functionalities or files, which could be reached by an unauthenticated user.
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| BROTHER Models | Affected Releases | Fixed Releases |
| Brother HL-L8360CDW | Main Firmware: v1.20 | Main Firmware: v1.34 |
| others * | – | – |
- Full list (around 300 models/versions) of affected models: https://support.brother.com/g/s/id/security/CVE-2019-13192-13194.pdf
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process. 2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references) 2019-07-04: CVEs request (CVE-2019-13194) 2019-07-31: Brother firmware update released (for the rest of the models affected) 2019-07-31: Brother advisory released 2019-08-08: NCC Group advisory released
References
Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375
Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000
CVE-2019-13194:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13194
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com