#############################################################
#
# COMPASS SECURITY ADVISORY http://www.csnc.ch/
#
#############################################################
#
# Product: OKI C5510MFP Printer
# Vendor: OKI Printing Solutions
(http://www.okiprintingsolutions.com/)
# Subject: Printer Reveals Password /
# Password and the configuration can be altered without
authentication
# Risk: High
# Effect: Remotely exploitable
# Author: Adrian Leuenberger (adrian.leuenberger (at) csnc (dot)
ch)
# Date: 01/17/2008
#
#############################################################
Introduction:
-------------
The OKI C5510MFP printer offers a web interface for the configuration.
Certain pages require higher privileges for making changes. However, the
password required for accessing these pages is sent to the client in
clear text by the printer. Furthermore, the password can be set without
prior authentication. Consequently, the whole configuration can be
changed without knowing the password.
Vulnerable:
-----------
The tested model is an OKI C5510MFP (Printer CU Version: H2.15 / Printer
PU Version: 01.03.01 / System F/W Version: 1.01 / Web Page Version:
1.00). However, it is likely that other printers are affected as well.
Remediation:
------------
Currenty, there is no workaround on the printer itself. A solution would
be to implement ACLs in the network infrastructure level / firewall and
block communication with ports that are not needed for printing.
Vulnerability Management:
-------------------------
09/26/2007: Vendor notified
10/04/2007: Vendor receipt
01/16/2008: According to our contact at OKI, the information will be
used for further development and there will be no patched firmware for
the affected printers.
Patches:
--------
None
Description:
------------
Basically, the vulnerability comes from a design flaw. There are two
methods for configuring the printer:
1) Via Browser
When requesting the webpage, a Java applet is downloaded and started.
The applet creates a connection to TCP port 5548 on the printer and
receives the configuration in clear text including the current
administration password.
2) Via OKIMFP Network Setup Tool
The client running on the PC creates a connection to TCP port 7777 and
receives the configuration in clear text including the current
administration password.
References:
-----------
http://www.csnc.ch/en/downloads/advisories.html