A total of 689 printer models from Brother, along with 53 other models from Fujifilm, Toshiba, and Konica Minolta, come with a default administrator password that remote attackers can generate. Even worse, there is no way to fix the flaw via firmware in existing printers.

The flaw, tracked under CVE-2024-51978, is part of a set of eight vulnerabilities discovered by Rapid7 researchers during a lengthy examination of Brother hardware.

This crucial vulnerability can be chained with other vulnerabilities discovered by Rapid7 to determine the admin password, take control of devices, perform remote code execution, crash them, or pivot within the networks they’re connected to.

Not all of the flaws affect every one of the 689 Brother printer models, but other manufacturers, including Fujifilm (46 models), Konica Minolta (6), Ricoh (5), and Toshiba (2), are impacted as well.

Insecure password generation

The default password in the impacted printers is generated during manufacturing using a custom alogirthm based on the device’s serial number.

According to a detailed technical analysis by Rapid7, the password generation algorithm follows an easily reversible process:

1. Take the first 16 characters of the serial number.
2. Append 8 bytes derived from a static “salt” table.
3. Hash the result with SHA256.
4. Base64-encode the hash.
5. Take the first eight characters and substitute some letters with special characters.

Attackers can leak the serial number of the target printer using various methods or by exploiting CVE-2024-51977. They can then use the algorithm to generate the default admin password and log in as admin.

From there, they may reconfigure the printer, access stored scans, read address books, exploit CVE-2024-51979 for remote code execution, or exploit CVE-2024-51984 to harvest credentials.

Rapid7 began its disclosure process in May 2024 and was aided by JPCERT/CC in coordinating disclosures to other manufacturers.

Although all flaws have been fixed in firmware updates made available by impacted manufacturers, the case with CVE-2024-51978 is complicated in terms of risk management.

The vulnerability is rooted in the password generation logic used in hardware manufacturing, and hence, any devices made before its discovery will have predictable passwords unless users change them.

“Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models,” explains Rapid7 regarding CVE-2024-51978.

Users of existing Brother printers listed in the impacted models should consider their devices vulnerable and immediately change the default admin password, followed by applying the firmware updates.

In general, it is recommended to restrict access to the printer’s admin interfaces over unsecured protocols and external networks.

Security bulletins with instructions on what users should do are available for Brother, Konica Minolta, Fujifilm, Ricoh, and Toshiba.