- Rapid7 Research has revealed several printer vulnerabilities
- Brother, Fujifilm, Ricoh and Toshiba, the printers are all threatened
- Rapid7 and Brother have published attenuations and bypass solutions
Brother Industries produces some of the best home printers on the market and has millions of machines around the world.
But Rapid7’s research has revealed that hundreds of models of houses and corporate brother are vulnerable to multiple serious security vulnerabilities.
Worse, one of the vulnerabilities cannot be corrected with a simple software update and the device must be redesigned to remove the fault.
Millions of vulnerable printers
In total, Rapid7 found eight serious vulnerabilities which affected 689 models of the brother apparatus, covering printers, scanners and label manufacturers. In addition, due to the brother’s position in the supply chain, 46 Fujifilm models, five Ricoh models and two Toshiba models are also affected by vulnerabilities.
The most serious vulnerability – a vulnerability of authentication bypass with a CVSS score of 9.8 – allows an attacker to use the default password of the printer to use the device and potentially access the connected systems. By acquiring the serial number of the target device, the attacker can generate the default password for this specific device.
As a rule, default passwords are generated during manufacturing, which means that to fully resolve this vulnerability, the brother must make changes to the manufacturing process in order to protect the devices against exploited by CVE-2024-51978.
Other vulnerabilities include methods so that hackers can recover sensitive information on the device, triggering an overflowing battery -based buffer, forcing new TCP connections, making arbitrary HTTP requests, crushing the device and disclosing the passwords of a configured external device. Complete details of these recommended vulnerabilities and correction can be found here.
The Rapid7 research project was carried out alongside JPCERT / CC and Brother Industries to help to make consumers and businesses aware of threats posed by vulnerabilities and potential attenuation measures that can be applied.
