689 different Brother printer models all use the serial number to create default password — ridiculous security flaw baked in from manufacturing, can’t be fully remediated with firmware
Another reminder to change your devices’ default passwords has arrived, thanks to a new critical vulnerability found in Brother printers. 689 different models of Brother printers, plus a handful of other printers from Fujifilm, Toshiba, and Konica Minolta, are susceptible to eight new security vulnerabilities, some of which cannot be patched with firmware updates.
Security company Rapid7 discovered the exploits in a recent investigation of some Brother printers. The most severe of these, CVE-2024-51978, given a 9.8 Critical rating, allows attackers to generate the device’s default admin password. The affected models have default passwords created algorithmically using their serial numbers as a seed, so attackers with the printer’s serial number (accessible via HTTP thanks to CVE-2024-51977) can create the default password and access the printer and the rest of the network.
The other vulnerabilities opened up by this attack vector include the ability to trigger a buffer overflow and achieve remote code execution, forcing the device to open connections across the network, exposing the passwords for other network services like LDAP or FTP, and repeatedly crashing the printer, rendering it inoperable, among others.
|
CVE |
Description |
CVSS |
|
CVE-2024-51977 |
An unauthenticated attacker can leak sensitive information. |
5.3 (Medium) |
|
CVE-2024-51978 |
An unauthenticated attacker can generate the device’s default administrator password. |
9.8 (Critical) |
|
CVE-2024-51979 |
An authenticated attacker can trigger a stack based buffer overflow. |
7.2 (High) |
|
CVE-2024-51980 |
An unauthenticated attacker can force the device to open a TCP connection. |
5.3 (Medium) |
|
CVE-2024-51981 |
An unauthenticated attacker can force the device to perform an arbitrary HTTP request. |
5.3 (Medium) |
|
CVE-2024-51982 |
An unauthenticated attacker can crash the device. |
7.5 (High) |
|
CVE-2024-51983 |
An unauthenticated attacker can crash the device. |
7.5 (High) |
|
CVE-2024-51984 |
An authenticated attacker can disclose the password of a configured external service. |
6.8 (Medium) |
The most severe vulnerability, the password generation flaw, is something that is determined at the time of the printer’s manufacturing, meaning that it cannot be fixed with firmware updates. Brother confirmed this fact in a statement to Rapid7, with its product advisory pages guiding customers to change their printer’s password to a new one, and to update their printer firmware to protect against the other flaws. We’ve seen some security flaws in our time, but generating a password using a device’s serial number is right up there.
Not every flaw is found on every printer model from the four manufacturers, with the main CVE-2024-51978 and CVE-2024-51980 being the most common. Thankfully, the CVE-2024-51977 vulnerability that opens up the printer to having its serial number remotely accessible is among the least common vulnerabilities, with only 463 of the 748 total models affected.
While most readers of Tom’s Hardware are surely aware of the need to change their network-connected devices’ default passwords shortly after setup, many less knowledgeable users are prone to leaving default passwords unchanged, which in this case could lead to having their printers crashed by trolls on the internet, or perhaps worse. So let this disclosure act as a sage reminder to update your default passwords, or else. A full summary of all of the vulnerabilities and what attacks they open up is available on Rapid7’s disclosure site.
Follow Tom’s Hardware on Google News to get our up-to-date news, analysis, and reviews in your feeds. Make sure to click the Follow button.
