Firmware flaw resolved after extended 28-month disclosure process
Xerox has addressed a vulnerability in its firmware that created a means for unauthenticated users to “remotely brick” some models of its network printers.
The vulnerability (CVE-2022-23968) predominantly affects Xerox VersaLink devices and offers a mechanism for attackers to crash and render temporarily unusable a targeted printer using a maliciously crafted TIFF file and an unauthenticated HTTP POST request.
The issue was uncovered by security researcher Mahmoud Al-Qudsi while developing a one-click scan-to-print daemon back in September 2019.
Al-Qudsi alerted Xerox in September 2019, and chased the vendor for an update in January 2020, learning that the security flaw was confirmed as valid but still unresolved.
It was only this month, January 2022, that a CVE was issued and patches published, days after Al-Qudsi went public with details of the vulnerability and suggested workarounds in a technical blog post.
The vulnerability is particularly nasty because it can be used to crash a device in such a way that problems persist beyond a simple reboot.
“The root cause is device/kernel panic from bad TIFF parser but actual cause is really poor design/architecture,” Al-Qudsi told The Daily Swig.
“If handling a single job crashes, that brings the whole thing down. Jobs are added to the queue before they’re fully parsed and validated… Bad jobs persist past a reboot.”
Chasing for updates
The bug took many months to resolve through an extended vulnerability disclosure process.
Al-Qudsi is critical of Xerox’s tardy response which the researcher noted contrasts with its official policy “extolling the benefits of ‘responsible disclosure’ and vow[ing] to take issues seriously, issue fixes quickly, and most importantly, keep security researchers constantly apprised of any developments as they occur”.
“They were very quick to reply to my initial requirements for disclosing the bug to them, but after that they never reached out to me and I had to bug them for updates,” Al-Qudsi told The Daily Swig.
In response to queries from The Daily Swig, Xerox offered a statement referencing security updates to address to issue and an associated security bulletin, published on Thursday (January 27):
We are committed to upholding strong security standards and take that responsibility seriously. Xerox was made aware of a potential vulnerability impacting older versions of firmware on certain products. For more information on the matter, please refer to Xerox security bulletin XRX22-002 [pdf].
The vendor’s response omitted any explanation on why it took more than two years to resolve the vulnerability.
Behind the bug
Incidentally , this is the sort of attack that a recently introduced feature for Chrome browser is meant to prevent.