Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Application Security //

Malware detection

8/17/2018
08:05 AM
Jeffrey Burt
Jeffrey Burt
Jeffrey Burt
50%
50%

Check Point: Fax Machines, Networks Vulnerable to Attack

Researchers for the cybersecurity company found a way to exploit vulnerabilities in the fax system of an HP OfficeJet inkjet all-in-one printer to gain access to all systems on a network.

The fax machine might seem like a relic of the past in this age of instant communication, but fax systems are still in millions of offices as part of connected all-in-one printers, and that connectivity makes these systems another pathway for hackers to get into corporate and consumer networks. Researchers at Check Point put that threat into focus when they took advantage of vulnerabilities in the fax functions of an HP Inc. OfficeJet inkjet printer to gain entrance into other systems on the network.

By sending what the researchers called a "maliciously crafted fax," they were able to exploit several vulnerabilities in the widely-used ITU T.30 fax protocol found in HP's implementation in all of its inkjet printers -- including the Officejet Pro 6830 used in the research -- and take complete control of the machine.

"From that point on, anything was possible," Check Point security researchers Eyal Itkin and Yaniv Balmas wrote in a blog post. "We decided the best way to showcase this control will be to use Eternal Blue in order to exploit any PC connected to the same network, and use that PC in order to exfiltrate data back to the attacker by sending … a fax."

The researchers talked about their work at the Def Con 2018 conference. In addition, Check Point notified HP officials about the two vulnerabilities (CVE-2018-5925 and CVE-2018-5924) before announcing the results of the research, enabling the vendor to release patches for both.

At a time when everything from email and text to mobile applications and cloud services dominate our communications methods, it shouldn't be lost on companies that fax machines are not only still around as part of larger systems, but that they're connected both to the corporate network and the outside world.

Itkin and Balmas noted that a Google Search found that there are still more than 300 million fax numbers in use and that all-in-one printers "are then connected both to the internal home or corporate networks through their Ethernet, WiFi, Bluetooth, etc., interfaces. However, in addition they are also connected to a PSTN phone line in order to support the fax functionality that they include."

Particularly in the era of the Internet of Things, companies should be careful not to overlook such machines as printers and other connected devices as they plan out their security environment, according to Joseph Kucic, chief security officer at cybersecurity provider Cavirin. (See DNS Rebinding Attack Could Affect Half a Billion IoT Devices.)

"War-dialing was a very common method to find PSTN connections years ago, but it is still an effective method for hackers, as the Check Point Faxploit shows," Kucic told Security Now in an email. "Today, many printers/scannners/multi-use devices also establish Internet outbound connections to be able to receive transmissions. A good cyber posture includes having a holistic view of the entire environment. Many enterprises find that the building/facility security and/or CCTV networks are vulnerable points of entry as they traditionally have not been managed by cybersecurity teams."

The Check Point analysts agreed, saying "this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network."

All-in-one printers with fax functions support protocols that conform to the ITU T.30 standard, which details the capabilities required from both the sender and receiver. It also outlines the various phases of the protocol. Usually, but not always, the Officejet printer uses the .TIFF image format when sending a fax.

When the researchers saw they could send a color fax, they learned that the data is received and stored to a .jpg file, giving the researchers control of the entire file. They did this by sending malicious code through the fax, where it eventually was stored in memory.

The next step was getting the color fax printed. Here the researchers found a custom JPEG parser being used instead of the libjpeg standard. It was in the JPEG parser that Itkin and Balmas found the two vulnerabilities.

"From an attacker's point of view this is a jackpot, as finding a vulnerability in a complex file format parser looks very promising," they wrote.

Going from exploiting the vulnerabilities to spreading into the computer network meant using the Eternal Blue and Double Pulsar tools, both of which were developed by the National Security Agency (NSA) and used on the researchers' file-based Turing Machine. With the tools, they were able to infiltrate the systems on the entire network, a move that would give hackers access to sensitive data and files.

"Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol," Itkin and Balmas wrote. "Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer."

Related posts:

— Jeffrey Burt is a longtime tech journalist whose work has appeared in such publications as eWEEK, The Next Platform and Channelnomics.

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/30/2020
'Act of War' Clause Could Nix Cyber Insurance Payouts
Robert Lemos, Contributing Writer,  10/29/2020
6 Ways Passwords Fail Basic Security Tests
Curtis Franklin Jr., Senior Editor at Dark Reading,  10/28/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How to Measure and Reduce Cybersecurity Risk in Your Organization
In this Tech Digest, we examine the difficult practice of measuring cyber-risk that has long been an elusive target for enterprises. Download it today!
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15703
PUBLISHED: 2020-10-31
There is no input validation on the Locale property in an apt transaction. An unprivileged user can supply a full path to a writable directory, which lets aptd read a file as root. Having a symlink in place results in an error message if the file exists, and no error otherwise. This way an unprivile...
CVE-2020-5991
PUBLISHED: 2020-10-30
NVIDIA CUDA Toolkit, all versions prior to 11.1.1, contains a vulnerability in the NVJPEG library in which an out-of-bounds read or write operation may lead to code execution, denial of service, or information disclosure.
CVE-2020-15273
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. The issue affects the following components: Edit feed settings, Edit widget area, Sub site new registration, New category registration. Arbitrary JavaScript may be executed by entering specific characters in the account that can ac...
CVE-2020-15276
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is vulnerable to Cross-Site Scripting. Arbitrary JavaScript may be executed by entering a crafted nickname in blog comments. The issue affects the blog comment component. It is fixed in version 4.4.1.
CVE-2020-15277
PUBLISHED: 2020-10-30
baserCMS before version 4.4.1 is affected by Remote Code Execution (RCE). Code may be executed by logging in as a system administrator and uploading an executable script file such as a PHP file. The Edit template component is vulnerable. The issue is fixed in version 4.4.1.