Researchers at Rapid7 have discovered eight significant security vulnerabilities affecting hundreds of printer models from Brother and other major vendors. In total, 742 device models across four vendors—Brother, Fujifilm Business Innovation, Ricoh, and Toshiba Tec Corporation—are impacted. The vulnerabilities primarily affect multifunction printers, but also include scanners and label makers.
Scope of Impact
• Brother: 689 models (printers, scanners, label makers)
• Fujifilm Business Innovation: 46 models
• Ricoh: 5 models
• Toshiba Tec Corporation: 2 models
Millions of enterprise and home printers worldwide are believed to be exposed to potential attacks due to these vulnerabilities.
Key Vulnerabilities
CVE-2024-51978: Authentication Bypass
The most critical vulnerability allows a remote, unauthenticated attacker to bypass authentication and obtain the device’s default administrator password. This is possible because Brother devices generate default admin passwords from the device’s serial number, which can be leaked through various means. With the admin password, an attacker can reconfigure the device or misuse its functions.
CVE-2024-51977: Information Disclosure
This vulnerability can be exploited to obtain the device’s serial number, which is then used to generate the default admin password.
Other Vulnerabilities
The remaining vulnerabilities (rated medium to high severity) include:
• Denial-of-service (DoS) attacks
• Forcing the printer to open a TCP connection
• Obtaining passwords for configured external services
• Triggering stack overflows
• Performing arbitrary HTTP requests
Six of the eight vulnerabilities can be exploited without authentication.
Remediation and Response
Brother has released patches for most of the vulnerabilities. However, the authentication bypass (CVE-2024-51978) cannot be fully remediated via firmware because it stems from the manufacturing process used to set default passwords. Brother is changing its manufacturing process for all affected models to prevent this vulnerability in future devices. Existing devices manufactured under the old process cannot be fully patched, but Brother has provided a workaround for these cases.
Rapid7 worked with Brother and Japan’s JPCERT/CC for over a year to coordinate the disclosure and mitigation efforts. Other vendors have also issued advisories and updates.
Recommendations
• Apply Firmware Updates: Users should promptly apply the latest firmware updates provided by Brother and other affected vendors.
• Change Default Passwords: For devices manufactured before the process change, users should manually change the default administrator password to a strong, unique value.
• Monitor Vendor Advisories: Stay updated with advisories from Brother, Fujifilm, Ricoh, and Toshiba for additional guidance and model-specific instructions.
