lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <60c619d0-2e6e-5c86-ff1f-26666e22c148@syss.de>
Date: Thu, 3 Aug 2023 08:56:41 +0200
From: Matthias Deeg via Fulldisclosure <fulldisclosure@...lists.org>
To: <fulldisclosure@...lists.org>
Subject: [FD] [SYSS-2023-011]: Canon PIXMA TR4550 and other inkjet printer
 models - Insufficient or Incomplete Data Removal,
 within Hardware Component (CWE-1301)

Advisory ID:               SYSS-2023-011
Product:                   PIXMA TR4550
Manufacturer:              Canon
Affected Version(s):       1.020 / 1.080
                            also affects many other Canon inkjet printer
                            models[4]
Tested Version(s):         1.020 / 1.080
Vulnerability Type:        Insufficient or Incomplete Data Removal
                            within Hardware Component (CWE-1301)
                            Insufficiently Protected Credentials
                            (CWE-522)
Risk Level:                Low
Solution Status:           Fixed
Manufacturer Notification: 2023-04-06
Solution Date:             2023-07-31
Public Disclosure:         2023-08-03
CVE Reference:             No CVE ID from Canon PSIRT
Author of Advisory:        Manuel Stotz, SySS GmbH

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Overview:

The Canon PIXMA TR4550 is an entry-level 4-in-1 printer equipped with
Wi-Fi connectivity.

The manufacturer describes the product as follows (see [1]):

"Ready to adapt to your smart home office environment, this efficient
4-In-One printer requires minimal space but gives maximum support to
your projects. Whether scanning a document, copying an ID, faxing an
invoice or printing posters, PIXMA TR4550 has the functionality to keep
up with your business needs. Equipped with smart Wi-Fi connectivity to
optimise management of functions and features, this front-loading
4-In-One printer is the compact solution that saves space, streamlines
ink usage and brings productivity to the forefront."

The unprotected storage of credentials and insufficient data removal
during a factory reset allows sensitive data to be read out afterward.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Vulnerability Details:

The Canon PIXMA TR4550 stores sensitive data, such as the SSID and the
Wi-Fi pre-shared key (PSK), unencrypted in its persistent storage
(EEPROM).

Resetting the product to factory settings (via 'Setup', 'Device
settings', 'Reset setting' and 'All data') does not securely delete this
sensitive information.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Proof of Concept (PoC):

SySS could successfully perform a proof-of-concept attack via the
following steps:

* Configure and establish a Wi-Fi connection.
* Reset all data (Setup, Device settings, Reset setting, All data).
* Disassemble the printer and locate the EEPROM on the PCB.
* Create an EEPROM memory dump.
* Search and locate the configured SSID and PSK in the memory dump.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Solution:

Canon PSIRT published its security advisory "Vulnerability
Mitigation/Remediation for Inkjet Printers (Home and Office/Large
Format)" (CP2023-003)[3] describing how sensitive information should be
deleted concerning the affected printers[5].

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclosure Timeline:

2023-04-06: Vulnerability reported to manufacturer
2023-04-12: Canon PSIRT creates ticket
2023-04-27: Update from Canon concerning ongoing analysis
2023-05-15: Canon confirms security issue
2023-05-23: Agreement on public disclosure date
2023-07-17: Canon PSIRT informs about scheduled publication of their
             security advisory
2023-07-31: Canon PSIRT publishes their security advisory "Vulnerability
             Mitigation/Remediation Format Inkjet Printers (Home and
             Office/Large Format)" (CP2023-003)[3]
2023-08-03: Public release of SySS security advisory

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

References:

[1] Product website for Canon PIXMA TR4550
 
https://www.canon-europe.com/support/consumer/products/printers/pixma/tr-series/pixma-tr4550.html
[2] SySS Security Advisory SYSS-2023-011
 
https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2023-011.txt
[3] CP2023-003 Vulnerability Mitigation/Remediation for Inkjet Printers 
(Home and Office/Large Format)
     https://psirt.canon/advisory-information/cp2023-003/
[4] List of affected printers
 
https://canon.a.bigcontent.io/v1/static/affected-models_20230731_d04c0d9895124b65acd21ca68357dcdc
[5] SySS Responsible Disclosure Policy
     https://www.syss.de/en/responsible-disclosure-policy

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Credits:

This security vulnerability was found by Manuel Stotz of SySS GmbH.

E-Mail: manuel.stotz (at) syss.de
Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Manuel_Stotz.asc
Key Fingerprint: F051 5B74 7E70 193E 7F66 0133 E790 F68A BCE6 8C6D

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Disclaimer:

The information provided in this security advisory is provided "as is"
and without warranty of any kind. Details of this security advisory may
be updated in order to provide as accurate information as possible. The
latest version of this security advisory is available on the SySS website.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

Copyright:

Creative Commons - Attribution (by) - Version 3.0
URL: http://creativecommons.org/licenses/by/3.0/deed.en

Download attachment "OpenPGP_signature" of type "application/pgp-signature" (841 bytes)

_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ