Skip to navigation Skip to main content Skip to footer

Technical Advisory: Multiple Vulnerabilities in Brother Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Brother printers.

The vulnerability list below was found affecting to several Brother printers:

Technical Advisories:

Stack Buffer Overflow in Cookie Values (CVE-2019-13193)

Vendor: Brother
Vendor URL: https://global.brother/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13193
Risk: 8.8 CVSSv3

Summary

Some Brother printers were affected by a stack buffer overflow vulnerability that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

A specially crafted request to the web server will cause a vulnerable device to crash. A stack buffer overflow has been identified in the way of how the embedded web server parsed the cookie values. This would allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

BROTHER Models Affected Releases Fixed Releases
Brother HL-L8360CDW Main Firmware: v1.20 Main Firmware: v1.34
others *

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process.
2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references)
2019-07-04: CVEs request (CVE-2019-13193)
2019-07-31: Brother firmware update released (for the rest of the models affected)
2019-07-31: Brother advisory released
2019-08-08: NCC Group advisory released

References

Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375

Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000

CVE-2019-13193:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13193

 

Heap Overflow in IPP Attribute Name (CVE-2019-13192)

Vendor: Brother
Vendor URL: https://global.brother/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13192
Risk: 9.8 CVSSv3

Summary

Some Brother printers were affected by a heap buffer overflow vulnerability that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

A specially crafted request to the IPP service will cause a vulnerable device to crash. A heap buffer overflow has been identified in the way of how attribute names were parsed by the IPP service. This would allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

BROTHER Models Affected Releases Fixed Releases
Brother HL-L8360CDW Main Firmware: v1.20 Main Firmware: v1.34
others *

 

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process.
2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references)
2019-07-04: CVEs request (CVE-2019-13192)
2019-07-31: Brother firmware update released (for the rest of the models affected)
2019-07-31: Brother advisory released
2019-08-08: NCC Group advisory released

References

Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375

Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000

CVE-2019-13192:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13192

Information Disclosure Vulnerability (CVE-2019-13194)

Vendor: Brother
Vendor URL: https://global.brother/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13194
Risk: 7.5 CVSSv3

Summary

Some Brother printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.

Details

Brother printers were found having several operational and configuration functionalities or files, which could be reached by an unauthenticated user.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

BROTHER Models Affected Releases Fixed Releases
Brother HL-L8360CDW Main Firmware: v1.20 Main Firmware: v1.34
others *

 

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and July: Permanent email / call contact between NCC Group and Brother in order to follow up the process.
2019-04-25: Brother firmware update released (only for the HL-L8360CDW model – no issue references)
2019-07-04: CVEs request (CVE-2019-13194)
2019-07-31: Brother firmware update released (for the rest of the models affected)
2019-07-31: Brother advisory released
2019-08-08: NCC Group advisory released

References

Brother firmware update (HL-L8360CDW model):
https://support.brother.com/g/b/downloadend.aspx?c=gb lang=en prod=hll8360cdw_us_eu_as os=10013 dlid=dlf002976_000 flang=4 type3=375

Brother Security Advisory:
https://support.brother.com/g/b/faqend.aspx?c=us lang=en prod=group2 faqid=faq00100670_000

CVE-2019-13194:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2019-13194

 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com