Over the past couple years we’ve encountered increasing numbers of customers using various print management vendors. Many that we have encountered are using the same application suite to manage the printers, and by default it has a blank admin password. In most of the instances we’ve observed this parameter has not been changed, or a strong password set. Likewise most of the managed printers also are not configured to use authentication or are using the default credentials.
When we encounter this one of the “benefits” this application affords us, due to the fact that it keeps a fairly detailed inventory with model number, is that it allows us to pinpoint areas of attack and compromise. Printers that we know have issues, or printers with functionality such as saving to network shares, SNMP etc. can be leveraged without doing activities that would be easily detectible on the network.
Now you might be saying “they’re just printers”,right? Many have said that in the past only to end up having us tell them we accessed sensitive data through a chain of events that started because a printer was leaking domain user credentials. Many older and even some newer printers will display credentials in the html source.
Even if they don’t directly leak the credentials, if they are configured to use LDAP or SMTP then the IP for these services can be changed to something controlled by the attacker, and the credentials can be harvested when the printer tries to talk to the attacker service.
Some systems will allow saving copies of scanned documents to a network share which can be sent directly to us. Accepting print jobs over anonymous FTP can be used in phishing attacks (a “self maintenance” printout advising users to visit a site just might do the trick…), and we’ve successfully used information gathered from printer information screens during social engineering.
So what can be done about this? If you’re using a vendor to manage your printer, make sure it’s being done in a secure manner, with restricted access to the inventory management software and the printers configured to use authentication, and regular firmware updates.
If you’re managing the printers yourself, with our without any kind of inventory management, always make sure printers are deployed with strong credentials configured, and don’t forget to include them in your patch management schedule.