Saltar a la navegación Saltar al contenido principal Ir al pie de página

Technical Advisory: Multiple Vulnerabilities in Ricoh Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers.
The vulnerability list below was found affecting to some Ricoh printers:

Technical Advisories:

Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14300
Risk: 9.8 CVSSv3

Summary

Some Ricoh printers were affected by stack buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

Unauthenticated crafted requests to the web server will cause a vulnerable device to crash. Stack buffer overflows have been identified in the way of how the embedded web server parsed the cookie values. This would allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14300
https://nvd.nist.gov/vuln/detail/CVE-2019-14300

Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14305, CVE-2019-14307
Risk: 8.8 CVSSv3

Summary

Some Ricoh printers were affected by buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

Specially crafted requests to the web server will cause a vulnerable device to crash. Stack buffer overflows have been identified in the way of how the embedded web server parsed the parameter values. This would allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14305
https://nvd.nist.gov/vuln/detail/CVE-2019-14305

CVE-2019-14307
https://nvd.nist.gov/vuln/detail/CVE-2019-14307

Buffer Overflow Parsing LPD Packets (CVE-2019-14308)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14308
Risk: 9.8 CVSSv3

Summary

Some Ricoh printers were affected by stack buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

Unauthenticated crafted packets to the LPD service will cause a vulnerable device to crash. A buffer overflows has been identified in the way of how the embedded device parsed the LPD packets. This would potentially allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14308
https://nvd.nist.gov/vuln/detail/CVE-2019-14308

No Account Lockout Implemented (CVE-2019-14299)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14299
Risk: 6.5 CVSSv3

Summary

Some Ricoh printers did not implement account lockout.

Impact

Local account credentials may be extracted from the device via brute force guessing attacks.

Details

Some Ricoh printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

 

References

CVE-2019-14299
https://nvd.nist.gov/vuln/detail/CVE-2019-14299

Multiple Information Disclosure Vulnerabilities (CVE-2019-14301, CVE-2019-14306)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14301, CVE-2019-14306
Risk: 7.5 CVSSv3

Summary

Some Ricoh printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of these vulnerabilities can lead to the disclosure of sensitive information about the device configuration, operation or even the operating system memory.

Details

Ricoh printers were found having several operational functionalities that allowed to download sensitive information within the printer by an unauthenticated user.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14301
https://nvd.nist.gov/vuln/detail/CVE-2019-14301

CVE-2019-14306
https://nvd.nist.gov/vuln/detail/CVE-2019-14306

Wrong LPD Implementation Lead to Denial of Service (CVE-2019-14303)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14303
Risk: 7.5 CVSSv3

Summary

Some Ricoh printers were affected by a wrong LPD service implementation that lead to a denial of service vulnerability.

Impact

Successful exploitation of this vulnerability would crash the device.

Details

Unauthenticated crafted packets to the LPD service will cause a vulnerable device to crash.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14303
https://nvd.nist.gov/vuln/detail/CVE-2019-14303

Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-14304)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14304
Risk: 6.5 CVSSv3

Summary

Some Ricoh printers did not implement any mechanism to avoid cross-site request forgery attacks.

Impact

Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.

Details

Some Ricoh printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14304
https://nvd.nist.gov/vuln/detail/CVE-2019-14304

Denial of Service (and Potential Memory Corruption) Parsing IPP Packets (CVE-2019-14310)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14310
Risk: 9.8 CVSSv3

Summary

Some Ricoh printers were affected by memory corruption vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can potentially lead to remote code execution or crash the affected device.

Details

Unauthenticated crafted packets to the IPP service will cause a vulnerable device to crash. A memory corruption has been identified in the way of how the embedded device parsed the IPP packets. This would potentially allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14310
https://nvd.nist.gov/vuln/detail/CVE-2019-14310

Hardware Serial Connector Exposed (CVE-2019-14302)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14302
Risk: 6.8 CVSSv3

Summary

Some Ricoh printers exposed a hardware serial connector which allowed both interacting with device and retrieving sensitive information.

Impact

Successful exploitation of this vulnerability can lead to gain full control of the device.

Details

An attacker with physical access to the devices could interact with a serial connector. This provided a shell that can be see used to read and write data within the RAM memory, as well as allowed to execute functions at a certain memory position with the specified arguments.

CVSSv3 Base Score: 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 0.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14302
https://nvd.nist.gov/vuln/detail/CVE-2019-14302

Hardcoded Credentials (CVE-2019-14309)

Vendor: Ricoh
Vendor URL: https://www.ricoh.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-14309
Risk: 6.5 CVSSv3

Summary

Some Ricoh printers were affected by a hardcoded credentials vulnerability that would allow an attacker to access to a printer service.

Impact

Successful exploitation of this vulnerability can allow to access and read information from the affected service.

Details

FTP service credential were found to be hardcoded within the printer firmware. This would allow to an attacker to access and read information stored on the shared FTP folders.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

RICOH Models Affected Releases Fixed Releases
SP C250SF * *
SP C252SF * *
SP C250DN Printer FW Version v1.05 *
SP C252DN * *
  • Waiting for a vendor confirmation

Vendor Communication

2019-04-02: Responsible Vulnerability Disclosure process initialized
Between April and August: Permanent email contact between NCC Group and Ricoh in order to 
follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-14309
https://nvd.nist.gov/vuln/detail/CVE-2019-14309

 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com