Yet another printer vulnerability alert has been issued - but at least this time attackers can't set your office on fire with it. US-CERT issued an advisory that Samsung printers distributed prior to October 31, 2012, including some Dell-branded printers which were manufactured by Samsung, have a vulnerability that could allow attackers to remotely gain administrative privileges which could be the doorway they need to conduct other attacks.
The vulnerability makes available a backdoor that can be accessed through a hardcoded SNMP read-write community string that is said to remain present even if users disable the SNMP manually by way of the printer's management utilities.
"A remote, unauthenticated attacker could access an affected device with administrative read/write privileges. Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information (e.g., device and network information, credentials, and information passed to the printer), and possibility the ability to leverage further attacks through arbitrary code execution," the US-CERT advisory states.
Both Samsung and Dell have stated that they plan to release a patch tool to mitigate the SNMP vulnerability later this year, but in the mean time owners of the devices are encouraged to do the following to protect against the possibility of an exploit of the flaw:
- Block Port 1118/udp: Neil Smith, credited with reporting the vulnerability, says that that blocking the custom SNMP trap port of 1118/udp may help mitigate the risk of exploitation
- Disable SNMP protocol: Samsung recommends users disable SNMPv1, 2 or use the secure SNMPv3 mode until the firmware updates are released, though Smith noted in his report that the community string that remains active even when SNMP is disabled, so this may do little to offer protection. SNMPv3 mode is still considered secure.
- Restrict Access: US-CERT says restricting access by only allowing connections from trusted hosts and networks would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location
In late 2011, news surfaced that some Hewlett Packard printers had a flaw that could allow attackers to compromise entire networks, harvest sensitive information, or even possibly cause the devices to overheat and catch fire. The claims set the Internet ablaze, but HP dismissed reports that said that as many 100,000 or more printers were immediately at risk, calling the assertions "sensational and inaccurate."