Summary
Your printer might not be the first entry point you think of for hackers. But you’d be surprised by how many vulnerabilities your printer has. And now, you might even have an unfixable one too.
A slew of serious security vulnerabilities has been uncovered in nearly 750 printer models from leading manufacturers, including Brother, Fujifilm, Toshiba, Ricoh, and Konica Minolta. The most severe of these flaws, which affects 689 Brother models, allows attackers to remotely determine the device’s default administrator password. And for a change, it’s a bug that can’t be fixed with a software update.
The eight vulnerabilities were discovered by cybersecurity firm Rapid7, which worked with the affected companies for over a year before the public disclosure. The central and most critical vulnerability, identified as CVE-2024-51978 with a “Critical” CVSS rating of 9.8 out of 10, lies in the way default administrator passwords are generated at the factory. Attackers who can obtain a printer’s serial number can use it to mathematically derive the default password.
Another issue, CVE-2024-51977, can allow an unauthenticated attacker to leak sensitive information from the printer, including its serial number. By chaining these two vulnerabilities, a remote attacker could potentially gain full administrative control over a vulnerable printer that is still using its factory-default password.
Once an attacker has administrative access, they can exploit the other six vulnerabilities discovered by Rapid7. These lesser, yet still significant, flaws could allow an attacker to retrieve sensitive data, crash the device, force the printer to open arbitrary TCP connections, execute unauthorized HTTP requests, and expose passwords for connected network services like LDAP and FTP. Each of these vulnerabilities might not do much by themselves, but all together, they could be actually dangerous.
Seven of the eight vulnerabilities can be patched by applying the latest firmware updates released by the manufacturers, but Brother has stated that the critical password generation flaw (CVE-2024-51978) “cannot be fully remediated in firmware.” The company has indicated that a change in the manufacturing process will address the issue for future devices, but existing printers will continue to be vulnerable.
For the hundreds of thousands of vulnerable printers already in homes and offices, the main (and most urgent) recommendation from security experts and the manufacturers themselves is to immediately change the default administrator password. This can typically be done through the printer’s web-based management interface. Once you’ve done that, attackers should not be able to exploit the unpatchable password generation flaw. If you feel insecure about it still, you can also replace your printer, but by replacing your password, this might not be necessary.
