Samsung network printer vulnerability discovered - Update 2
US-CERT is warning of an administrator account in printers made by Samsung that allows an attacker to take full control of the devices. The account seems to be a hard-coded community string with full SNMP read and write access. This account remains active, even when SNMP is disabled in the printer's administration interface.
Besides putting the printers and data passing through these devices at risk, the backdoor is also endangering other systems on the network as it can enable attackers to execute arbitrary code. Therefore, these printers could be the weak points attackers can exploit to attack other devices on the network, US-CERT says.
Besides Samsung-branded printers, some devices that the company produced for Dell also seem to be affected. However, the flaw seems to only affect models produced before 31 October 2012. According to US-CERT, Samsung plans to ship a patch tool to close the backdoor before the end of the year.
Update (28/11/12 14:00) - Details of the vulnerability are now in circulation – it appears that the community string would read "s!a@m#n$p%c" to access the printer.
Update (29/11/12 16:30) - In a statement, Samsung said that the problem would occur only if SNMP is enabled and that users could protect themselves by disabling SNMPv1 and SNMPv2 and only using SNMPv3's secure modes. But the details from US CERT suggest that is not enough; as the published demo exploit shows, the printer has a custom trap port on 1118/UDP and this port is not disabled. One workaround would, of course, be to block access to this port.
(fab)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/6/7/2/comingin310_4_kicker-4977194bfb0de0d7.png)
![Kernel Log: Coming in 3.10 (Part 3) [--] Infrastructure](/imgs/43/1/0/4/2/3/2/3/comingin310_3_kicker-151cd7b9e9660f05.png)
