Connect with us

Hi, what are you looking for?

Cyber Security

Xerox vulnerability disclosure legal threat withdrawn

A cease-and-desist notice targeting the security researcher who discovered vulnerabilities impacting Xerox printers has been squashed with the removal of a “few extracts of code” in his public disclosure.

Airbus Security Lab security researcher Raphaël Rigo was due to host a talk at this year’s Infiltrate security conference to discuss critical vulnerabilities discovered in Xerox Multifunction Printers.

However, as previously reported, a notice was published by Infiltrate in February, with less than an hour to go until the talk, informing attendees that the session was cancelled due to legal problems.

“We must cease and desist publication, presentation, and discussions related to the content of Raphaël’s talk,” the notice read.

This week, Rigo told The Daily Swig that the “issues had been resolved” and so the online talk, titled ‘Attacking Xerox Multifunction Printers’, was able to go live yesterday (April 22).

Infiltrate said on April 15 that the cease-and-desist order had “been lifted”.

Disclosure roadblocks

Rigo’s research began in January 2019. However, disruption caused by Covid-19 and the last-minute legal threat meant that the work could only be made public this month.

During the presentation, which included attendees from Xerox, Rigo explained that in order for the talk to go ahead, certain “elements” were removed, including “some passphrase details and a few extracts of code”.

“Although, the core is the same and no information I consider important was suppressed,” the researcher added.

Rigo’s talk is now available to watch on Vimeo

The researcher was then able to describe his examination of the Xerox WorkCenter 7835 and AltaLink 8030 – heavy-duty EAL2+ certified printers – on firmware released between 2017 and 2020.

Issues reported to the vendor included hardcoded, default account credentials; ‘service’ accounts hidden in the UI code of which passwords could not be changed; a “trivial-to-exploit” remote command injection vulnerability (CVE-2019-10880); a privilege escalation in AJAX handlers; a SQL injection flaw in the printers’ account management page; and a remote code execution bug caused by clone file functionality.

The small print

Xerox tackled the vulnerabilities in a September 2020 security release. This included an overhaul of privilege levels, enabling some accounts to only work when there was local access, and disabling backdoor accounts.

The other vulnerabilities reported by Rigo have also been resolved.

Rigo also described command injection and buffer overflow vulnerabilities in the Xerox VersaLink, as well as security weaknesses caused by backdoor URLs accessible with hardcoded accounts and the same clone file RCE vulnerability.

Advertisement. Scroll to continue reading.

These security flaws were resolved in June 2020, a year after disclosure. However, the clone file RCE was not fixed until March 5, 2021, as initial attempts to patch the problem failed.

“The multifunction printers are a really easy target as large companies still like using paper and are often overlooked by security teams, as contractors [usually] are responsible for these peripheral devices on an enterprise network,” Rigo said.

Xerox declined to comment.

In related news this month, a new GitHub repository was launched to document battles between researchers and organizations which are the subject of good faith research, including reactions, legal demands, and cease-and-desist notices.

Source: https://portswigger.net/daily-swig/xerox-vulnerability-disclosure-legal-threat-withdrawn

Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

You May Also Like

Business News

Cummins Inc. has approved its high-horsepower diesel engines across all ratings for use with unblended paraffinic fuels (EN15940), often referred to as renewable diesel,...

Business News

PT BAUER Pratama Indonesia, the Indonesian subsidiary of BAUER Spezialtiefbau GmbH, was commissioned to manufacture the retaining walls for the basement in Kota Station...

Business News

The European Anti-Fraud Office (OLAF) has put forth a recommendation to halt the €140 million renovation project for the Kostenets-Septemvri railway in Bulgaria, while...

Business News

According to an official news release, Turner Construction has officially commenced a US$100 million renovation project at Albany International Airport, located in upstate New...

Copyright © 2023 Newsworthy News | Global | Political | Local | All News | Website By: Top Search SEO