A vulnerability that is best known before it's too late.
A critical vulnerability has been identified in several Xerox printer models that could allow attackers to remotely execute arbitrary commands with elevated privileges. The EC80xx, AltaLink, VersaLink, and WorkCentre models are at risk if they are not updated to the latest firmware versions.
The vulnerability, tracked under the number CVE-2024-6333, allows attackers with administrative credentials to access the printer's operating system through a web interface and execute commands on behalf of the root.
The vulnerability lies in the "Network Troubleshooting" section of the printer's web interface, which uses the tcpdump utility. Due to insufficient verification of the entered data, attackers can insert their commands into the string, imitating IPv4 settings. An example of such interference is spoofing the address with "0.0.0.0$(bash $TMP~cmd)", which allows the execution of commands stored in "/tmp/~cmd".
Successful exploitation of this vulnerability could lead to the installation of a reverse shell, which would give an attacker full control over the printer system.
SEC Consult reports that the vulnerability has been confirmed on Xerox WorkCentre 7970 (073.200.167.09610) and WorkCentre 7855 (073.040.167.09610) models. To prevent possible attacks, users are strongly advised to update the firmware of their devices and read the Xerox XRX24-015 official note on how to fix the problem.
Experts are also calling for a full security audit of Xerox products to identify other potential threats. In response to the identified issues, Xerox emphasizes its commitment to security and its commitment to improving its customers' workflows through innovative solutions.
Source
A critical vulnerability has been identified in several Xerox printer models that could allow attackers to remotely execute arbitrary commands with elevated privileges. The EC80xx, AltaLink, VersaLink, and WorkCentre models are at risk if they are not updated to the latest firmware versions.
The vulnerability, tracked under the number CVE-2024-6333, allows attackers with administrative credentials to access the printer's operating system through a web interface and execute commands on behalf of the root.
The vulnerability lies in the "Network Troubleshooting" section of the printer's web interface, which uses the tcpdump utility. Due to insufficient verification of the entered data, attackers can insert their commands into the string, imitating IPv4 settings. An example of such interference is spoofing the address with "0.0.0.0$(bash $TMP~cmd)", which allows the execution of commands stored in "/tmp/~cmd".
Successful exploitation of this vulnerability could lead to the installation of a reverse shell, which would give an attacker full control over the printer system.
SEC Consult reports that the vulnerability has been confirmed on Xerox WorkCentre 7970 (073.200.167.09610) and WorkCentre 7855 (073.040.167.09610) models. To prevent possible attacks, users are strongly advised to update the firmware of their devices and read the Xerox XRX24-015 official note on how to fix the problem.
Experts are also calling for a full security audit of Xerox products to identify other potential threats. In response to the identified issues, Xerox emphasizes its commitment to security and its commitment to improving its customers' workflows through innovative solutions.
Source
