Simple exploit can be used to disable Brother printers remotely

After apparently failing, repeatedly, to get a response from printer manufacturer Brother, security researchers at Trustwave have gone public with details of a vulnerability (CVE-2017-16249) they discovered in certain models of Brother printers that lets an attacker render the devices unusable, temporarily.

The attack exploits a flaw in the printer’s embedded Debut httpd server to cause a DoS (Denial of Service) attack, blocking any user from being able to send any jobs to the printer or from accessing the printer’s web interface.

All an attacker has to do is send the printer’s web server a single malformed HTTP POST request and the printer will hang for some time before eventually responding with a status code of 500, indicating an internal server error.

The advisory does not indicate how the request is malformed but the proof-of-concept code accompanying it appears to have an incorrect Content-Length header, indicating that the printer should expect more data than it’s going to get.

When an attacker gets a response from the web server, they can send another malformed request to hang the printer again, and again, and again. As long as this cycle goes on, the printer is effectively bricked. Any Brother printers that use the Debut-based web interface are vulnerable to this attack.

The vulnerability can be exploited by anybody with access to the printer, which normally means people on the same company network, but sometimes means everyone.

Printers are rather notorious for being overexposed to the internet and poorly secured (if at all). It only takes a quick search on Shodan, the search engine for the IoT (Internet of Things) to find thousands upon thousands of printers wide open and exposed to the internet without so much as a password to protect them.

So while this may sound more like an opportunity for mischief than a stop-the-presses vulnerability, a remote attacker could use this vulnerability as a stepping stone to something more damaging than an unmoving print queue.

A bricked printer can distract a busy IT team, drawing them away from more subtle attacks, or serve as a convincing-enough ruse for someone with social engineering skills to make their way into an office and snoop around.

In light of all this, Brother’s apparent silence was surprising. The advisory lists three attempts by Trustwave to contact Brother and we’ve not seen any official remediation advice from that company, comments below notwithstanding.

The Trustwave advisory suggests the following:

No patch currently exists for this issue. To limit exposure, network access to these devices should be limited to authorized personnel through the use of Access Control Lists and proper network segmentation.

To which Brother added the following, in recent comments made to SC Computing:

We recommend that the printer password feature is always activated. For those with advanced requirements, Brother offers industry standard protocols such as IPsec, SSL, TLS, SNMPv3 and more, which can be enabled to further secure the printing environment … We encourage any customers with questions about their Brother printer security and set up to contact our customer services team for assistance and guidance.

Or, to put all that advice another way, the principle of least privilege applies here, just as it does everywhere else: the only people who should have access to your printer’s web interface, no matter who made it, are the people who need to have that access.


This is a Security Bloggers Network syndicated blog post. Read the original at: Naked Security 2017-11-11.