############################################################# # # COMPASS SECURITY ADVISORY http://www.csnc.ch/ # ############################################################# # # Product: OKI C5510MFP Printer # Vendor: OKI Printing Solutions (http://www.okiprintingsolutions.com/) # Subject: Printer Reveals Password / # Password and the configuration can be altered without authentication # Risk: High # Effect: Remotely exploitable # Author: Adrian Leuenberger (adrian.leuenberger (at) csnc (dot) ch) # Date: 01/17/2008 # ############################################################# Introduction: ------------- The OKI C5510MFP printer offers a web interface for the configuration. Certain pages require higher privileges for making changes. However, the password required for accessing these pages is sent to the client in clear text by the printer. Furthermore, the password can be set without prior authentication. Consequently, the whole configuration can be changed without knowing the password. Vulnerable: ----------- The tested model is an OKI C5510MFP (Printer CU Version: H2.15 / Printer PU Version: 01.03.01 / System F/W Version: 1.01 / Web Page Version: 1.00). However, it is likely that other printers are affected as well. Remediation: ------------ Currenty, there is no workaround on the printer itself. A solution would be to implement ACLs in the network infrastructure level / firewall and block communication with ports that are not needed for printing. Vulnerability Management: ------------------------- 09/26/2007: Vendor notified 10/04/2007: Vendor receipt 01/16/2008: According to our contact at OKI, the information will be used for further development and there will be no patched firmware for the affected printers. Patches: -------- None Description: ------------ Basically, the vulnerability comes from a design flaw. There are two methods for configuring the printer: 1) Via Browser When requesting the webpage, a Java applet is downloaded and started. The applet creates a connection to TCP port 5548 on the printer and receives the configuration in clear text including the current administration password. 2) Via OKIMFP Network Setup Tool The client running on the PC creates a connection to TCP port 7777 and receives the configuration in clear text including the current administration password. References: ----------- http://www.csnc.ch/en/downloads/advisories.html