By Justin Brose, Information Security Analyst, TraceSecurity
External networks are the public-facing perimeter of any organization’s virtual presence. Many services, such as web applications, are deployed on that perimeter to provide value or information to customers; however, these protocols can often have vulnerabilities that could weaken the walls of an organization’s network. Some services or devices shouldn’t be on the external network at all.
One device in particular that should have no accessibility from the external network is a printer. Printers are notorious for being inherently vulnerable due to the high demand for accessibility. When devices need to be accessed without many restrictions, security typically takes a back seat because more security measures mean more hurdles for the end-user to jump over before utilizing the device.
However, there should be little to no need for printers to have an external presence. Otherwise, an organization would be opening itself up for a potential breach point in its external defenses. In this article, we are going to explore some of those attack paths to enlighten the reader on the true impact of allowing a printer to reside on an externally facing network.
Before we identify some of the exciting ways that printers can be exploited to gain access to an internal network, we should explore what features (or bugs, depending on how you look at it) make these printers horrible candidates for an organization’s external network. To start, printers are essentially Internet of Things (IoT) devices. IoT devices have many protocols enabled that allow them to seamlessly communicate with other devices on a network. As you can imagine, this makes it quite easy for an attacker to communicate with the printer itself.
One of those protocols in particular is the Simple Network Management Protocol (SNMP). The intended function of this protocol is to allow network administrators or, in our case, printer technicians, to check the status of devices and remotely manage them. However, this protocol ends up allowing malicious actors to enumerate information about the internal network and enumerate internal users that are allowed to access the SNMP-enabled device.
Some specific version conditions must be met to execute these vulnerabilities, but those conditions are met quite frequently. The final item we should consider for this section is how often printers are misconfigured. One clear example of printer misconfiguration is allowing anonymous access (gaining access to a device without providing a username or password) and/or default login access.
The danger of this attack vector is a potential enumeration of sensitive documentation that has been sent to the printer and saved in its cache. If a malicious actor were able to get hold of some sensitive customer/member information from the external network, that would be a less-than-ideal situation.
Now that we are more familiar with what makes printers inherently vulnerable to begin with, let’s explore some ways that malicious actors will exploit those weaknesses. As previously mentioned, printers have vulnerable protocols in place that allow for device/network information enumeration.
If a printer were externally facing an attacker could enumerate certain bits of information, such as what model it is, how much paper it has, a log of interactions on the device, etc. This information could allow an attacker to create a convincing pretext (aka disguise) as a printer technician. This malicious actor could utilize this information to infiltrate your organization, encounter a printer, and potentially create persistence within the organization.
Since the human/personnel component is the weakest link in a cybersecurity program, the exploit is almost sure to work with that level of vetting. Another attack vector that a malicious actor could leverage is unpatched firmware vulnerabilities. This vector falls into a low-hanging fruit category as it is easy to detect vulnerabilities with certain firmware versions of devices, and this is likely a starting point for many malicious actors.
However, some of the dangers of this particular attack vector are Remote Code Execution (RCE) [a vulnerability that allows for code to be run from a remote location. In other words, an attack could issue commands to an effected device without ever coming in contact with it], Denial-of-Service (DoS) [a vulnerability that overloads an affected device with requests or data to make it freeze or cease to operate for some time], and Remote File Inclusion (RFI) [a vulnerability that allows an attacker to upload files to an affected device from a remote location. This typically leads to RCE.
Finally, an attacker could perform print-job hijacking in a Man-in-the-Middle (MitM) attack. The attacker could intercept a print job as it is being sent from the internal network to the externally facing printer and read or possibly alter the contents of the print job. This would lead to the degradation of the confidentiality and integrity of any document that would be sent to the affected printer.
With this newfound knowledge, this begs the question: how does one ensure that their printers are not externally facing? To start, it is imperative to ensure that printers are never given public IP addresses. Always ensure that printers have an internal IP address to reduce the likelihood that the printer would be exposed to the internet.
Second, create firewall rules to filter out inbound access to printers on ports TCP 9100 (JetDirect), TCP 515 (LPD), TCP/UDP 161 (SNMP), and TCP 80/443 (web interfaces). This will help add a layer of defense to the printer to ensure that malicious actors aren’t able to easily identify that these devices exist.
Third, disable any unused services on printers. If FTP, Telnet, SNMP, or the web services are not used on these devices, then functionality for those protocols should be disabled immediately. Finally, get regular penetration tests performed to ensure that your remediation efforts are effective.
Printers are utilized in almost every organization, and sensitive data is often sent to these devices. However, printers are almost always misconfigured or have glaring security concerns, so removing these devices from the external network is imperative to a secure externally facing network.
In conclusion, it can be difficult to identify that printers are misconfigured from an internal perspective, so it is important to have a professional evaluation of your organization’s external attack surface. TraceSecurity provides comprehensive External Penetration Tests (EPTs) to fulfill this need in your cybersecurity plan. So, what are you waiting for? Find those printers, ensure best practices, and let us validate your efforts!
Connect with TraceSecurity to learn more.