Ineffective configuration on Lexmark printers

Over 1000 mis-configured Lexmark printers have been discovered operating open to the public internet making them easily available to any attacker seeking to hijack such a device as an entry point to a given network.

Threat ID:: CC-1881
Category:
Threat Severity:: Low
Threat Vector:
Published:: 27 December 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

Threat details

The printers have been found to come preset with a default password or no password at all. These printers are accessible over TCP Ports 21, 23, 80 and 443 which can be accessed by attackers. Port 23 uses Telnet, which is an outdated protocol. Unlike the more secure SSH, Telnet is un-encrypted, meaning attackers could listen to all traffic on that port with a man in the middle attack (MitM). Port 21 presents its own security holes as it uses FTP (File Transfer Protocol) which is also un-encrypted. This all allows an attacker to remotely access the devices and view its status, MAC address, configuration as well as passwords.

Attackers can upload potentially malicious documents to the printer programming. This can also be used as a backdoor into the network allowing them to attack other systems and devices.

Remediation steps

Type	Step
	Change passwords from the default credentials and ensure it is only known by those that require it. Consider disabling the ability to remotely access the printer via TCP ports 21, 80 and 443. Consider disabling port 23 and using more secure ports. Consider changing network architecture to ensure that shared devices are segregated from those storing sensitive information. Consider removing internet access to printers where possible.

Type

Step

Change passwords from the default credentials and ensure it is only known by those that require it.
Consider disabling the ability to remotely access the printer via TCP ports 21, 80 and 443.
Consider disabling port 23 and using more secure ports.
Consider changing network architecture to ensure that shared devices are segregated from those storing sensitive information.
Consider removing internet access to printers where possible.

Last edited: 17 February 2020 11:32 am