The researcher said that important information on the vulnerabilities was ‘not suppressed’

Xerox vulnerability disclosure legal threat withdrawn

A cease-and-desist notice targeting the security researcher who discovered vulnerabilities impacting Xerox printers has been squashed with the removal of a “few extracts of code” in his public disclosure.

Airbus Security Lab security researcher Raphaël Rigo was due to host a talk at this year’s Infiltrate security conference to discuss critical vulnerabilities discovered in Xerox Multifunction Printers.

However, as previously reported, a notice was published by Infiltrate in February, with less than an hour to go until the talk, informing attendees that the session was cancelled due to legal problems.

BACKGROUND Xerox legal threat reportedly silences researcher at Infiltrate security conference

“We must cease and desist publication, presentation, and discussions related to the content of Raphaël’s talk,” the notice read.

This week, Rigo told The Daily Swig that the “issues had been resolved” and so the online talk, titled ‘Attacking Xerox Multifunction Printers’, was able to go live yesterday (April 22).

Infiltrate said on April 15 that the cease-and-desist order had “been lifted”.

Disclosure roadblocks

Rigo’s research began in January 2019. However, disruption caused by Covid-19 and the last-minute legal threat meant that the work could only be made public this month.

During the presentation, which included attendees from Xerox, Rigo explained that in order for the talk to go ahead, certain “elements” were removed, including “some passphrase details and a few extracts of code”.

“Although, the core is the same and no information I consider important was suppressed,” the researcher added.

Rigo’s talk is now available to watch on Vimeo

The researcher was then able to describe his examination of the Xerox WorkCenter 7835 and AltaLink 8030 – heavy-duty EAL2+ certified printers – on firmware released between 2017 and 2020.

Issues reported to the vendor included hardcoded, default account credentials; ‘service’ accounts hidden in the UI code of which passwords could not be changed; a “trivial-to-exploit” remote command injection vulnerability (CVE-2019-10880); a privilege escalation in AJAX handlers; a SQL injection flaw in the printers’ account management page; and a remote code execution bug caused by clone file functionality.

The small print

Xerox tackled the vulnerabilities in a September 2020 security release. This included an overhaul of privilege levels, enabling some accounts to only work when there was local access, and disabling backdoor accounts.

The other vulnerabilities reported by Rigo have also been resolved.

Rigo also described command injection and buffer overflow vulnerabilities in the Xerox VersaLink, as well as security weaknesses caused by backdoor URLs accessible with hardcoded accounts and the same clone file RCE vulnerability.

Read more of the latest infosec research news from around the world

These security flaws were resolved in June 2020, a year after disclosure. However, the clone file RCE was not fixed until March 5, 2021, as initial attempts to patch the problem failed.

“The multifunction printers are a really easy target as large companies still like using paper and are often overlooked by security teams, as contractors [usually] are responsible for these peripheral devices on an enterprise network,” Rigo said.

Xerox declined to comment.

In related news this month, a new GitHub repository was launched to document battles between researchers and organizations which are the subject of good faith research, including reactions, legal demands, and cease-and-desist notices.

RELATED Security researcher launches GoFundMe campaign to fight legal threat over vulnerability disclosure