Multifunction printers (MFPs) are frequently overlooked in vulnerability management. During a network breach, attackers do not limit themselves to high-value assets like servers or databases. They seek any system that can provide valuable information or assist them in escalating their privileges. MFPs often fall into this category for several reasons:

A compromised MFP can act as a pivot point for attackers, serving as a potential entryway for further exploitation. Therefore, securing MFPs must be a critical component of any modern vulnerability management strategy.

Common MFP Vulnerabilities

It's important to recognize that multifunction printers (MFPs) are frequently used to scan documents to network shares or email inboxes. This functionality often requires integration with Active Directory or another authentication database, which means that credentials may be stored on these devices.

To effectively secure multifunction printers, organizations should implement the same structured vulnerability management process that they use for other IT assets.

When it comes to MFPs, we should take into account the following common security issues:

Asset Discovery & Inventory

It is essential to maintain an updated inventory of MFPs, including the model and firmware versions.

To identify all MFPs in the network, we can use traffic analysis with protocols like NetFlow and analyze DHCP logs to search for relevant MAC addresses.

Another effective method is network scanning. In addition to vulnerability scanners, we can use simpler solutions like network scanners. For example, Nmap can be utilized to scan the network and gather valuable information about connected MFPs.

The following command will scan the network using Nmap and execute a script to retrieve the title header of web applications, helping us identify the device vendor:

sudo nmap -P0 -vv -sS -script=http-title.nse -p 80,443 192.168.12.0/24

Many MFPs have the SNMP protocol enabled by default. The command below will scan the network, connect to the SNMP service, and retrieve information using the snmp-info.nse script.

sudo nmap -P0 -sU -script=snmp-info.nse -p 161 -vv 192.168.21.0/24

It is also a good idea to categorize certain MFPs as critical assets if they handle sensitive information.

Vulnerability Assessment

We can perform regular vulnerability scans using a scanner like Nessus, for example. Unfortunately, this is not always possible because printers are fragile devices, and in some cases, scanning them or sending data to specific ports may cause malfunctions or even disrupt their functionality.

An alternative approach to assessing vulnerabilities in MFPs is to monitor vendor security bulletins for updates and CVE disclosures.

Check for misconfigurations and vulnerabilities using self-crafted scripts.

As an additional step, we can create our own script if a vulnerability and its exploit are publicly available. For example, I wrote a Python script that scans an IP network for the CVE-2022-1026 vulnerability in Kyocera devices. I used a publicly available exploit, modified it, and integrated it into the scanning script.

python3 scan_kyocera.py 192.0.2.0/25


from csv import reader, writer
import socket
import warnings
import argparse
from exp_kyocera import cve_kyocera
import ipaddress

warnings.filterwarnings('ignore', message='Unverified HTTPS request')

#######
#
#Port TCP 9091 should be accessible
#In the address book of kyocera device there should be at least one record for exploit to work
#To run: python3 scan_kyocera.py 192.0.2.0/25
#
##################

#Save results
def write_results(inlist, resultname):
    fileResults = open(resultname + '.csv', mode='w', encoding='utf8', newline='')
    resultwriter = writer(fileResults, delimiter=',')
    resultwriter.writerows(inlist)
    fileResults.close()


#Args
parser = argparse.ArgumentParser()
parser.add_argument("network", help="network to scan with CIDR, example: 192.0.2.0/25")
args = parser.parse_args()

net = args.network
result_data = [['#', 'IP', 'Result']]
target_network = ipaddress.ip_network(net)
socket.setdefaulttimeout(1) #Timeout in seconds to wait on socket - 9091
n = 0
for t in target_network.hosts():
    n += 1
    target = str(t)
    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    isopen = s.connect_ex((target, 9091))
    if isopen == 0:
        result = cve_kyocera(target)
    else:
        result = 'Timeout'
    result_data.append([n, target, result])

#Write results
write_results(result_data, 'results')

#Print vulnerable results
print(result_data[0:1])
for r in result_data[1:]:
    if r[2] == 'Vulnerable':
        print(r)

There was no other way to check all the devices for this vulnerability because the vulnerability scanner was unable to detect it.

Final Thoughts

Multifunction Printers (MFPs) are often overlooked in cybersecurity strategies, yet they can represent a significant vulnerability in corporate networks. These devices should be included in the risk prioritization process, where the impact and exploitability of detected vulnerabilities are evaluated, and patches are prioritized accordingly.

The typical remediation and hardening process should include the following steps: