During a recent pentest, I encountered a Dell 2335dn printer which did not have any admin credentials set (the default). After authenticating with the username “admin” I began to poke around to see if there was an ldap server or smtp server configured that I could exploit (See: https://hackinparis.com/data/slides/2014/DeralHeilandandPeterArzamendi.pdf for some good info on printer exploitation)
What I found was much simpler than that. Right click and “view source” shows the configured smtp and (presumably) ldap credentials in plain-text. This device was running the following firmware versions, and I have not tested it with other versions, but I suspect that they are vulnerable as well.
- Printer Firmware Version:2.70.05.02
- Engine Firmware Version:1.10.65
- Network Firmware Version:V4.02.15(2335dn MFP) 11-22-2010
Super-l33t hack, right? I mean, Taviso is probably jealous. Either way, I felt it was at least important to point out…another good reason to make sure your printer admin interfaces are secured.
I contacted Dell Vulnerability Research and provided the information to them. They indicated that this will not be remediated, since the 2335dn is end-of-support as of May 2018.
- Initial contact to Dell Vulnerability Research: May 2, 2018
- May 16th, 2018 Follow up from Dell: “Our engineering team is still assessing this and working the 3rd party suppliers who provide us the required updates.”
- Follow up email to Dell: August 1, 2018
- August 2, 2018 Follow up from Dell: “2335dn has End Of Support Life on May-2018. The replacement printer for the above would be B2375dnf (Falcon) or H815dw (Gyrfalcon C).”
- Follow up email to Dell, advising them I would be posting this write up: August 21, 2018.
No further response from Dell. This has tentatively been assigned CVE-2018-15748.