Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in some Ricoh printers.
The vulnerability list below was found affecting to some Ricoh printers:
- Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300)
- Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307)
- Buffer Overflow Parsing LPD Packets (CVE-2019-14308)
- No Account Lockout Implemented (CVE-2019-14299)
- Multiple Information Disclosure Vulnerabilities (CVE-2019-14301, CVE-2019-14306)
- Wrong LPD Implementation Lead to Denial of Service (CVE-2019-14303)
- Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-14304)
- Denial of Service (and Potential Memory Corruption) Parsing IPP Packets (CVE-2019-14310)
- Hardware Serial Connector Exposed (CVE-2019-14302)
- Hardcoded Credentials (CVE-2019-14309)
Technical Advisories:
Multiple Buffer Overflows Parsing HTTP Cookie Headers (CVE-2019-14300)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14300 Risk: 9.8 CVSSv3
Summary
Some Ricoh printers were affected by stack buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
Unauthenticated crafted requests to the web server will cause a vulnerable device to crash. Stack buffer overflows have been identified in the way of how the embedded web server parsed the cookie values. This would allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14300
https://nvd.nist.gov/vuln/detail/CVE-2019-14300
Multiple Buffer Overflows Parsing HTTP Parameters (CVE-2019-14305, CVE-2019-14307)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14305, CVE-2019-14307 Risk: 8.8 CVSSv3
Summary
Some Ricoh printers were affected by buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
Specially crafted requests to the web server will cause a vulnerable device to crash. Stack buffer overflows have been identified in the way of how the embedded web server parsed the parameter values. This would allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14305
https://nvd.nist.gov/vuln/detail/CVE-2019-14305
CVE-2019-14307
https://nvd.nist.gov/vuln/detail/CVE-2019-14307
Buffer Overflow Parsing LPD Packets (CVE-2019-14308)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14308 Risk: 9.8 CVSSv3
Summary
Some Ricoh printers were affected by stack buffer overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
Unauthenticated crafted packets to the LPD service will cause a vulnerable device to crash. A buffer overflows has been identified in the way of how the embedded device parsed the LPD packets. This would potentially allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14308
https://nvd.nist.gov/vuln/detail/CVE-2019-14308
No Account Lockout Implemented (CVE-2019-14299)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14299 Risk: 6.5 CVSSv3
Summary
Some Ricoh printers did not implement account lockout.
Impact
Local account credentials may be extracted from the device via brute force guessing attacks.
Details
Some Ricoh printers did not implement account lockout. Therefore, it was possible to obtain the local account credentials by brute force.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14299
https://nvd.nist.gov/vuln/detail/CVE-2019-14299
Multiple Information Disclosure Vulnerabilities (CVE-2019-14301, CVE-2019-14306)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14301, CVE-2019-14306 Risk: 7.5 CVSSv3
Summary
Some Ricoh printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.
Impact
Successful exploitation of these vulnerabilities can lead to the disclosure of sensitive information about the device configuration, operation or even the operating system memory.
Details
Ricoh printers were found having several operational functionalities that allowed to download sensitive information within the printer by an unauthenticated user.
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14301
https://nvd.nist.gov/vuln/detail/CVE-2019-14301
CVE-2019-14306
https://nvd.nist.gov/vuln/detail/CVE-2019-14306
Wrong LPD Implementation Lead to Denial of Service (CVE-2019-14303)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14303 Risk: 7.5 CVSSv3
Summary
Some Ricoh printers were affected by a wrong LPD service implementation that lead to a denial of service vulnerability.
Impact
Successful exploitation of this vulnerability would crash the device.
Details
Unauthenticated crafted packets to the LPD service will cause a vulnerable device to crash.
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact Subscore: 3.6
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14303
https://nvd.nist.gov/vuln/detail/CVE-2019-14303
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-14304)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14304 Risk: 6.5 CVSSv3
Summary
Some Ricoh printers did not implement any mechanism to avoid cross-site request forgery attacks.
Impact
Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
Details
Some Ricoh printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14304
https://nvd.nist.gov/vuln/detail/CVE-2019-14304
Denial of Service (and Potential Memory Corruption) Parsing IPP Packets (CVE-2019-14310)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14310 Risk: 9.8 CVSSv3
Summary
Some Ricoh printers were affected by memory corruption vulnerabilities that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can potentially lead to remote code execution or crash the affected device.
Details
Unauthenticated crafted packets to the IPP service will cause a vulnerable device to crash. A memory corruption has been identified in the way of how the embedded device parsed the IPP packets. This would potentially allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14310
https://nvd.nist.gov/vuln/detail/CVE-2019-14310
Hardware Serial Connector Exposed (CVE-2019-14302)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14302 Risk: 6.8 CVSSv3
Summary
Some Ricoh printers exposed a hardware serial connector which allowed both interacting with device and retrieving sensitive information.
Impact
Successful exploitation of this vulnerability can lead to gain full control of the device.
Details
An attacker with physical access to the devices could interact with a serial connector. This provided a shell that can be see used to read and write data within the RAM memory, as well as allowed to execute functions at a certain memory position with the specified arguments.
CVSSv3 Base Score: 6.8 (AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 0.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14302
https://nvd.nist.gov/vuln/detail/CVE-2019-14302
Hardcoded Credentials (CVE-2019-14309)
Vendor: Ricoh Vendor URL: https://www.ricoh.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-14309 Risk: 6.5 CVSSv3
Summary
Some Ricoh printers were affected by a hardcoded credentials vulnerability that would allow an attacker to access to a printer service.
Impact
Successful exploitation of this vulnerability can allow to access and read information from the affected service.
Details
FTP service credential were found to be hardcoded within the printer firmware. This would allow to an attacker to access and read information stored on the shared FTP folders.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N)
Impact Subscore: 2.5
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| RICOH Models | Affected Releases | Fixed Releases |
| SP C250SF | * | * |
| SP C252SF | * | * |
| SP C250DN | Printer FW Version v1.05 | * |
| SP C252DN | * | * |
- Waiting for a vendor confirmation
Vendor Communication
2019-04-02: Responsible Vulnerability Disclosure process initialized Between April and August: Permanent email contact between NCC Group and Ricoh in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-14309
https://nvd.nist.gov/vuln/detail/CVE-2019-14309
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com
