Vulnerabilities CVE-2024-12510 and CVE-2024-12511 have been discovered in Xerox VersaLink multifunction printers. Identified by Rapid7, these flaws allow attackers to retrieve authentication credentials via pass-back attacks on LDAP and SMB/FTP services. This could let an attacker with admin access capture LDAP credentials by directing the service’s IP to a server they control, while running a port listener to capture credentials during LDAP lookups.
Attackers could also exploit these flaws by altering the user address book configuration to capture SMB or FTP credentials. Changing the SMB or FTP server IP to an attacker-controlled server could lead to capturing NetNTLMV2 handshakes or clear text FTP credentials. Such compromised credentials could enable attackers to infiltrate other important Windows servers and file systems within an organization.
Reported to Xerox in March of this year, these vulnerabilities prompted security updates released in January. Organizations should promptly update their firmware to version 57.75.53 to mitigate the risks. Using complex admin passwords, avoiding elevated Windows authentication accounts, and disabling unauthenticated remote printer console access are further recommended steps.
Addressing printer vulnerabilities is vital for preventing lateral movement within a network. Updating devices and securing configurations is crucial for protection against such attacks. The importance of proactive monitoring and timely patching was highlighted to ensure robust network security, emphasizing the pervasive threat of printer vulnerabilities.