Bugs found in five leading printers, one of them a critical 9.8 flaw

A zero-day research project into multifunction printers by Rapid7 found eight new vulnerabilities, one of them a critical 9.8 authentication bypass flaw.

Seven of the bugs were updated in firmware, while a workaround was provided for the critical flaw, according to Rapid7 researchers in a June 25 blog.

Rapid7 worked with IPCERT/CC and Brother Industries to find a total of 748 models affected across five vendors: Brother Industries, Fujifilm Business Innovation, Ricoh, Toshiba Tec Corporation, and Konica Minolta.

Stephen Fewer, principal security researcher at Rapid7, said some devices were configured to automatically update their firmware to the latest available version, while others are configured to manually update.

“Therefore, security teams must review this for every device to ensure that the expected firmware updates have actually been applied,” Fewer said. “Teams should also prioritize the authentication bypass flaw.”

Fewer added that the workaround provided for the authentication bypass – CVE-2024-51978 – should be straightforward for most security teams. They’ll need to manually change the default administrator password on every affected device. Fewer noted that a factory reset of any affected device would revert back to the default administrator password, so teams need to apply the workaround every time a device gets factory reset.

John Gallagher, vice president at Viakoo, added that while repairing a critical printer flaw seems like a normal issue for IT teams, the real issue is the vast number of printers used and managed outside of IT.  Like many IoT devices, Gallagher said the patching and maintenance of printers may not be a priority for the line-of-business units operating them. 

“Yet if these devices remained unpatched, there’s significant risk to the organization overall,” said Gallagher. “Printers are heavily used in certain verticals like healthcare that threat actors target. In healthcare the printer may be for creating patient ID wristbands, instructions to doctors or surgeons, scanning health records, and so forth. Since many printers today store documents in their print buffer or on storage within the device, there’s a threat of patient personal information being stolen.” 

David Matalon, chief executive officer at Venn, said the vulnerabilities uncovered by Rapid7 highlight a much broader issue: When employees work outside the corporate perimeter, the threat surface expands.

“Organizations need to focus on shrinking that threat surface and consider strategies for ensuring their company data is protected independently of the device it's on, or the user’s home network that may be used to access it,” said Matalon. “That includes considering all paths to data including unmanaged printers, smart devices, and anything else connected to a home network that’s outside of IT’s control.”

Here’s a quick guide from Rapid7’s Fewer on how teams can effectively respond to these eight new printer flaws: