DIVD-2022-00042 - Canon print portals facing the internet
| Our reference | DIVD-2022-00042 |
| Case lead | Lennaert Oudshoorn |
| Author | Simon Kort |
| Researcher(s) |
|
| CVE(s) | |
| Product | Canon printer webportals |
| Versions | Version independent |
| Recommendation | If you received a notification about this case then your Canon print portal was detected as having one, or more, of the three vulnerabilities listed below. DIVD recommends to shield Canon print portals from the internet through a proxy, extra login or by not facing the portal towards the internet. Canon does not provide guidance, nor will it fix the CVE that is associated with one of the vulnerabilities. |
| Patch status | Not available |
| Status | Closed |
| Last modified | 09 Apr 2023 16:51 CEST |
Summary
Canon network printers come with a print portal. In this portal you can see the status of your printer, upload files to print and generally manage the printer. These portals are effectively websites that can also face towards the internet. A malicious user could abuse the print portal and take control of your printer. There are three vulnerabilities in the print portal. If you have recieved a notification about this case then your print portal is vulnerable to one of more of them.
Open print portal
The print portal can have no authentication set up at all. In this case a malicious user can immediately do whatever it wants to the printer.
Guest user login
The print portal is setup to allow ‘guest’ users that do not need to have a credential, but can still do whatever they want to the printer.
CVE-2021-38154: Canon device Catwalk server privilege escalation
In versions of the print portal from between 2012 and 2020 the pincode option to authenticate can sometimes be bypassed by using the pin ‘0000’. This gives full access to the print portal.
What you can do
Limit who has access to the print portal and from where. Turn on authentication on the print portal. If the print portal is affected by : CVE-2021-38154 consider setting up HTTP basic authentication in addition to the Canon authentication process. A loadbalancer with a login from an identityprovider in front of the print portal can mitigate the risk as well. Canon has not patched this vulnerability. Other options are to let the print portal only be accessible through trusted network segments.
What we are doing
- DIVD is currently ensuring that the owners of vulnerable systems are being notified. We do this by scanning for vulnerable hosts, verifying the vulnerability and notifying the owners of these systems. If you receive an email from us regarding this case, the vulnerability has been confirmed.
Timeline
| Date | Description |
|---|---|
| 18 Aug 2022 | Scanning for vulnerable Canon print portals begins |
| 11 Nov 2022 | Owners of vulnerable systems are informed |
|
05 Apr 2023- 05 Apr 2023 |
Case closed |