By Guru Baran - February 17, 2025
Xerox Printers Vulnerability Let Attackers Capture Authentication Data From LDAP & SMB
Multiple vulnerabilities in enterprise-grade Xerox Versalink C7025 multifunction printers (MFPs) enable attackers to intercept authentication credentials from Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) services.
Designated as CVE-2024-12510 and CVE-2024-12511, these flaws allow malicious actors to execute “pass-back attacks” – a technique that redirects device authentication attempts to attacker-controlled systems.
The vulnerabilities, discovered by Rapid7 Principal IoT Researcher Deral Heiland, affect firmware versions 57.69.91 and earlier on Xerox’s widely deployed enterprise printers.
LDAP Pass-Back Exploitation (CVE-2024-12510)
The LDAP vulnerability enables attackers with administrative access to the printer’s web interface to reconfigure the LDAP server IP address to a rogue host.
Once modified, any LDAP authentication attempt initiated through the printer’s “User Mappings” feature transmits clear-text credentials to the attacker’s server.
Intercept authentication credentials
This attack preys on organizations using LDAP for centralized user authentication, requiring:
Valid LDAP configuration on the printer for normal operations
Compromise of the printer’s admin credentials (default or weak passwords)
Network access to modify LDAP server settings
Security analysts demonstrated the attack using a Python-based LDAP listener, capturing credentials in real time during printer-initiated authentication requests.
The harvested credentials could grant attackers access to enterprise directories containing sensitive user attributes and permissions.
SMB/FTP Credential Interception (CVE-2024-12511)
The secondary vulnerability targets the printer’s scan-to-network functionality. Attackers modifying SMB/FTP server entries in the device’s address book can redirect file scans to malicious hosts. This technique captures:
NetNTLMv2 hashes when using SMB, enabling relay attacks against Active Directory
Clear-text credentials if FTP authentication is configured
Metasploit’s auxiliary/server/capture/smb module can harvest NetNTLMv2 challenges, which attackers then crack offline or relay to domain-joined systems.
clear text FTP authentication credentials
Researchers’ testing showed successful compromise of domain admin accounts when printers used privileged service accounts for scan-to-folder workflows.
Enterprise Impact and Attack Scenarios
These vulnerabilities present critical risks due to:
Lateral Movement Potential: Compromised domain credentials enable attackers to pivot from printers to file servers, ERP systems, and cloud resources.
Persistence Opportunities: Captured SMB hashes facilitate golden ticket attacks and persistent AD footholds.
Physical Access Exploitation: Attackers could execute attacks locally via the printer’s control panel without needing network access.
In one demonstrated attack chain, researchers gained admin access via default credentials (Xerox devices often retain factory defaults), modified LDAP settings to attacker IP, triggered LDAP sync via “Test Connection” feature and used captured credentials to access HR databases containing PII.
Mitigation Strategies
Xerox released patched firmware (version 57.69.92+) addressing both CVEs. If immediate patching isn’t feasible:
Rotate all printer service account passwords
Disable unused protocols (FTP/SMBv1) via administrative console
Implement network segmentation restricting printer communication to essential ports
Enable MFA for printer administrative access
With patched firmware now available, organizations must act swiftly to close this attack vector before threat actors exploit these vulnerabilities in the wild.
TAGScyber securitycyber security news
LinkedinTwitter
Guru Baran
Guru Baran
https://cybersecuritynews.com
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.
Supply Chain Attack Prevention
SIEM as a Service
Recent Posts
New LLM Vulnerability Let Attackers Exploit The ChatGPT Like AI Models
Tushar Subhra Dutta - February 18, 2025
A newly uncovered vulnerability in large language models (LLMs) has raised significant concerns about the security and ethical use of AI systems like OpenAI's...
4 Million Stolen Credit Cards to Be Released for Free by B1ack’s Stash Marketplace
Kaaviya - February 18, 2025
Weaponized PDF Documents Deliver Lumma InfoStealer Attacking Educational Institutions
Tushar Subhra Dutta - February 18, 2025
OpenSSH Client & Server Vulnerabilities Enables MiTM & DoS Attacks
Guru Baran - February 18, 2025
Intruder Added Free Vulnerability Intelligence Platform ‘Intel’ with AI-Generated CVE Descriptions
Kaaviya - February 18, 2025
Cyber Security News
ABOUT US
Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis.
FOLLOW US
Home About Us Contact US Privacy Policy
© Copyright 2025 - Cyber Security News
No comments:
Post a Comment