COVID Delays Patching of Vulnerable Konica Minolta Printers3 Bugs Found in 2019 Cannot Be Patched Without Physical Access to the Printers
Hundreds of thousands of Konica Minolta printers that are used widely across businesses have reportedly been vulnerable to three critical flaws since 2019. Although a patch was made available in early 2020, the deployment could not be done at the time since the firmware update required physical access to the printers and COVID-19 lockdowns around the globe made that difficult, if not impossible.
The vulnerabilities that are now being tracked as CVE-2022-29586, CVE-2022-29587 and CVE-2022-29588 were found by researchers at SEC Consult, an Atos-owned cybersecurity firm. If successfully exploited, they could give an attacker root privileges to the underlying operating systems used in the printers.
The catch? Just as updating the firmware requires physical access, its exploitation also requires physical access to the printer, according to SEC Consult's security advisory.
But this does not mean that exploitation of the vulnerability is less likely, Johannes Greil, the head of SEC Consult Vulnerability Lab, tells Information Security Media Group. "The chances [of exploitation] are very high, especially in business environments where those printers are mainly being used. An attacker with physical access can exploit our identified vulnerabilities and gain access to sensitive information, such as admin passwords in clear text," which is a severe cause of concern, Greil says.
Konica Minolta, however, tells ISMG that the vulnerabilities are "unlikely" to be exploited. "In order to exploit [these] vulnerabilities, multiple conditions are required in addition to a physical access to the device, and few users meet such conditions," it says.
Citing Konica Minolta, Greil also says that the vulnerable firmware is not exclusively used in the Konica Minolta printers but also in multiple devices of various original equipment manufacturers. But, he says, "We are not aware of which devices/vendors specifically."
According to SEC Consult's security advisory, Konica Minolta confirmed that its 46 bizhub MFP models were affected by these vulnerabilities. It says there are "hundreds of thousands" of these printers worldwide and that devices are also rebranded and sold by other companies.
Konica Minolta tells ISMG "as more than two years have passed since the release of the firmware update, we assume firmware of most devices has been updated. Therefore, in coordination with SEC Consult, we agreed to their release of advisory this time." The company, however, did not disclose any specific number of the devices that have been updated, citing company policy.
Greil tells ISMG that the company gave SEC Consult permission to release its security advisory and he believes "they are confident enough to have most affected devices patched."
The reason for this patching process to be done manually is because "for multi-functional peripherals client support, firmware is typically updated by field technicians. The Konica Minolta Group also operates firmware remote update services based on customer's demand, but the service penetration rate was not high in early 2020, when the vulnerabilities were first discovered," Konica Minolta tells ISMG.
"No exploitation of these vulnerabilities has been reported, so far," the Japanese manufacturing giant confirms.
All the affected firmware versions and the respective vulnerabilities are listed in SEC Consult's security advisory.
The Trio of Vulnerabilities
The sandbox escape with root access vulnerability tracked as CVE-2022-29586 has seven well-defined steps, explained in detail in an SEC Consult blog post. Here is an overview.
The vulnerable printer models contain a touch-screen terminal to the printer, which is used to control it. This touch-screen terminal hosts a user interface that uses a proprietary application.
"By opening certain applications and/or settings via the terminal, it was possible to observe a slight change in the look and feel of the user interface itself. It was quickly determined that this was the result of context change, meaning that the applications running are not solely based on the proprietary application," the advisory says.
After attaching a keyboard to the printer via a USB, the researchers pressed specific key combinations and determined that some application parts were running an ordinary Chromium browser in "kiosk mode," which could be escaped easily by pressing the F12 key that opens up the developer console. But most of the other key combinations were blacklisted, the researchers say.
"This allows an attacker to get full access to the underlying printer's operating and file system, including configuration files, passwords in clear text, proprietary scripts and many more."
Greil tells ISMG that an attacker needs to exploit CVE-2022-29586 first as "it is a prerequisite for the other vulnerabilities - e.g., gaining access to the passwords in clear text."
After the first vulnerability was exploited, the researchers determined that the printer UI and the Chromium browser were running with root privileges after escaping the printer terminal's sandbox.
Greil says, "As the affected Chromium browser - used within the interface - is running as root, it is possible for an attacker to also gain access to system files that are usually not accessible to standard users - such as the /etc/shadow file. This allows an attacker to get full access to all files and folders on the operating system," and is thus tracked as a separate vulnerability, CVE-2022-29587.
CVE-2022-29588 stores passwords in clear text on the file system. "As an example, an attacker can now access the directory
"/var/log/nginx/html". This folder contains a file called ADMINPASS, which has the administrator password for the printer terminal and web interface displayed in plain text," the researchers say.
They add that multiple passwords in clear text were found on the file system of the printer, which includes Unix user account passwords and printer administrative passwords.
SEC Consult's blog post describes how an attacker can tamper with the touch screen to display a website controlled by the attacker instead of the regular user interface, and how this can be used to display fake login screens to phish domain credentials or to automatically send a copy of printed or scanned files to a remote server controlled by the attacker. But it adds that this is just one scenario and that "the possibilities are endless."
Although SEC Consult advises the application of patches for this vulnerability, it says that Konica Minolta has provided a workaround.
According to SEC Consult, Konica Minolta advises users to disable the external USB keyboard using the "Customer Administrator" setting. It also strongly recommends setting a new Customer Admin password. Most customers, however, do not need to use the external keyboard so this workaround is effective for them until they update their firmware, Konica Minolta says.
Greil tells ISMG that this proof of concept and the vulnerabilities have never previously been presented or discussed in any forums or conferences, so it is likely that this workaround will work for now. But he says that if the patch has not yet been applied by Konica Minolta's service engineer manually, users should contact the company immediately.
The Way Forward
Although Konica Minolta came up with a patch very quickly and responded quickly during SEC Consult's responsible disclosure process, the fact remains that "nearly three years passed between initial discovery, first contact and the final release of the advisory," the advisory says. The unknown of the pandemic was a definite reason for this elongated process, and the missing central patch management system was a bigger issue, SEC Consult says.
The identification of these critical vulnerabilities and the deficiencies in the remote patching process or firmware update architecture shows that vendors have to proactively invest in secure software design at the beginning of the development life cycle and engage continuous security testing, Greil says.
Retrospective fixing of security issues can lead to significant patch management costs for vendors or customers, especially when patches can't be automatically deployed and have to be manually applied by specialists on-site. Customers will be left unprotected for long periods due to flawed design, he adds.
Jonathan Knudsen, head of global research at Synopsys' Cybersecurity Research Center, says that patching is hard but tells ISMG, "The only way patching gets better is if we do it less frequently. The only way to get to less frequent patching is by finding and fixing more bugs before releasing software, and the only way to do that is more testing and better testing during software development."
To improve software patching, security needs to be infused into every phase of software development, from design through implementation, testing and release, Knudsen says. Using a broad-spectrum, proactive approach to software security results in better products that require fewer patches, which ultimately benefits everyone in the ecosystem, he says.