Technical Advisory: Multiple Vulnerabilities in Xerox Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Xerox printers.
The vulnerability list below was found affecting to several Xerox printers:
- Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171)
- Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168)
- Multiple Buffer Overflows in Web Server (CVE-2019-13169, CVE-2019-13172)
- Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13167)
- Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13170)
- No Account Lockout Implemented (CVE-2019-13166)
Technical Advisories:
Buffer Overflow in Google Cloud Print Implementation (CVE-2019-13171)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13171 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Xerox printers were affected by a several buffer overflow vulnerabilities in the Google Cloud Print implementation that would allow an unauthenticated attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
The Google Cloud Printing implementation had a stack buffer overflow, causing a Denial of Service or Remote Code Execution vulnerability. This was caused by an insecure handling of the register parameters.
After reverse engineering the firmware, it was found that the google print implementations was affected by a stack buffer overflow, as the size used within a memcpy() function, which copied the “action” value into a local variable, was not checked properly.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13171
https://nvd.nist.gov/vuln/detail/CVE-2019-13171
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
Multiple Buffer Overflows in IPP Service (CVE-2019-13165, CVE-2019-13168)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13165, CVE-2019-13168 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Xerox printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in the attributes parsing and request parsing of the IPP service of Xerox devices that allow an attacker to crash the device and potentially execute arbitrary code.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13165
https://nvd.nist.gov/vuln/detail/CVE-2019-13165
CVE-2019-13168
https://nvd.nist.gov/vuln/detail/CVE-2019-13168
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
Multiple Buffer Overflows in Web Server (CVE-2019-13169, CVE-2019-13172)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13169, CVE-2019-13172 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Xerox printers were affected by a several buffer overflow vulnerabilities in the web application that would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests to the web server will cause a vulnerable device to crash. Buffer overflows have been identified in the Content-Type header and the authentication cookie that would allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13169
https://nvd.nist.gov/vuln/detail/CVE-2019-13169
CVE-2019-13172
https://nvd.nist.gov/vuln/detail/CVE-2019-13172
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13167)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13167 Risk: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Summary
Multiple Stored Cross-Site Scripting vulnerabilities were found in the Xerox Web Application.
Impact
Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
Details
The web application was vulnerable to Cross-Site Scripting attacks. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.
CVSSv3 Base Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13167
https://nvd.nist.gov/vuln/detail/CVE-2019-13167
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13170)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13170 Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Summary
Some Xerox printers did not implement any mechanism to avoid cross-site request forgery attacks.
Impact
Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
Details
Some Xerox printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13170
https://nvd.nist.gov/vuln/detail/CVE-2019-13170
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
No Account Lockout Implemented (CVE-2019-13166)
Vendor: Xerox Vendor URL: https://www.xerox.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13166 Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Summary
Some Xerox printers did not implement account lockout.
Impact
Local account credentials may be extracted from the device via brute force guessing attacks.
Details
Some Xerox printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Xerox in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13166
https://nvd.nist.gov/vuln/detail/CVE-2019-13166
Devices Affected
The table below shows the devices and firmware versions affected:
| Xerox Models | Affected Releases | Fixed Releases |
| Phaser 3320 | Phaser3320_V53.006.16.000 |
- Other models may also be affected
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com