Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Malware detection

8/17/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Check Point: Fax Machines, Networks Vulnerable to Attack

Researchers for the cybersecurity company found a way to exploit vulnerabilities in the fax system of an HP OfficeJet inkjet all-in-one printer to gain access to all systems on a network.

The fax machine might seem like a relic of the past in this age of instant communication, but fax systems are still in millions of offices as part of connected all-in-one printers, and that connectivity makes these systems another pathway for hackers to get into corporate and consumer networks. Researchers at Check Point put that threat into focus when they took advantage of vulnerabilities in the fax functions of an HP Inc. OfficeJet inkjet printer to gain entrance into other systems on the network.

By sending what the researchers called a "maliciously crafted fax," they were able to exploit several vulnerabilities in the widely-used ITU T.30 fax protocol found in HP's implementation in all of its inkjet printers -- including the Officejet Pro 6830 used in the research -- and take complete control of the machine.

"From that point on, anything was possible," Check Point security researchers Eyal Itkin and Yaniv Balmas wrote in a blog post. "We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax."

The researchers talked about their work at the Def Con 2018 conference. In addition, Check Point notified HP officials about the two vulnerabilities (CVE-2018-5925 and CVE-2018-5924) before announcing the results of the research, enabling the vendor to release patches for both.

At a time when everything from email and text to mobile applications and cloud services dominate our communications methods, it shouldn't be lost on companies that fax machines are not only still around as part of larger systems, but that they're connected both to the corporate network and the outside world.

Itkin and Balmas noted that a Google Search found that there are still more than 300 million fax numbers in use and that all-in-one printers "are then connected both to the internal home or corporate networks through their Ethernet, WiFi, Bluetooth, etc., interfaces. However, in addition they are also connected to a PSTN phone line in order to support the fax functionality that they include."

Particularly in the era of the Internet of Things, companies should be careful not to overlook such machines as printers and other connected devices as they plan out their security environment, according to Joseph Kucic, chief security officer at cybersecurity provider Cavirin. (See DNS Rebinding Attack Could Affect Half a Billion IoT Devices.)

"War-dialing was a very common method to find PSTN connections years ago, but it is still an effective method for hackers, as the Check Point Faxploit shows," Kucic told Security Now in an email. "Today, many printers/scannners/multi-use devices also establish Internet outbound connections to be able to receive transmissions. A good cyber posture includes having a holistic view of the entire environment. Many enterprises find that the building/facility security and/or CCTV networks are vulnerable points of entry as they traditionally have not been managed by cybersecurity teams."

The Check Point analysts agreed, saying "this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."

All-in-one printers with fax functions support protocols that conform to the ITU T.30 standard, which details the capabilities required from both the sender and receiver. It also outlines the various phases of the protocol. Usually, but not always, the Officejet printer uses the .TIFF image format when sending a fax.

When the researchers saw they could send a color fax, they learned that the data is received and stored to a .jpg file, giving the researchers control of the entire file. They did this by sending malicious code through the fax, where it eventually was stored in memory.

The next step was getting the color fax printed. Here the researchers found a custom JPEG parser being used instead of the libjpeg standard. It was in the JPEG parser that Itkin and Balmas found the two vulnerabilities.

"From an attacker's point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising," they wrote.

Going from exploiting the vulnerabilities to spreading into the computer network meant using the Eternal Blue and Double Pulsar tools, both of which were developed by the National Security Agency (NSA) and used on the researchers' file-based Turing Machine. With the tools, they were able to infiltrate the systems on the entire network, a move that would give hackers access to sensitive data and files.

"Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol," Itkin and Balmas wrote. "Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer."

Related posts:

— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
When It Comes To Security Tools, More Isn't More
Lamont Orange, Chief Information Security Officer at Netskope,  1/11/2021
US Capitol Attack a Wake-up Call for the Integration of Physical & IT Security
Seth Rosenblatt, Contributing Writer,  1/11/2021
IoT Vendor Ubiquiti Suffers Data Breach
Dark Reading Staff 1/11/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-28476
PUBLISHED: 2021-01-18
All versions of package tornado are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with default configura...
CVE-2020-28473
PUBLISHED: 2021-01-18
The package bottle from 0 and before 0.12.19 are vulnerable to Web Cache Poisoning by using a vector called parameter cloaking. When the attacker can separate query parameters using a semicolon (;), they can cause a difference in the interpretation of the request between the proxy (running with defa...
CVE-2021-25173
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory allocation with excessive size vulnerability exists when reading malformed DGN files, which allows attackers to cause a crash, potentially enabling denial of service (crash, exit, or restart).
CVE-2021-25174
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.12. A memory corruption vulnerability exists when reading malformed DGN files. It can allow attackers to cause a crash, potentially enabling denial of service (Crash, Exit, or Restart).
CVE-2021-25175
PUBLISHED: 2021-01-18
An issue was discovered in Open Design Alliance Drawings SDK before 2021.11. A NULL pointer dereference exists when rendering malformed .DXF and .DWG files. This can allow attackers to cause a crash, potentially enabling a denial of service attack (Crash, Exit, or Restart). This is issue 1 of 3.