Xerox Printers Vulnerability Let Attackers Capture Authentication Data From LDAP & SMB

Multiple vulnerabilities in enterprise-grade Xerox Versalink C7025 multifunction printers (MFPs) enable attackers to intercept authentication credentials from Lightweight Directory Access Protocol (LDAP) and Server Message Block (SMB) services. 

Designated as CVE-2024-12510 and CVE-2024-12511, these flaws allow malicious actors to execute “pass-back attacks” – a technique that redirects device authentication attempts to attacker-controlled systems. 

The vulnerabilities, discovered by Rapid7 Principal IoT Researcher Deral Heiland, affect firmware versions 57.69.91 and earlier on Xerox’s widely deployed enterprise printers.

LDAP Pass-Back Exploitation (CVE-2024-12510)

The LDAP vulnerability enables attackers with administrative access to the printer’s web interface to reconfigure the LDAP server IP address to a rogue host. 

Once modified, any LDAP authentication attempt initiated through the printer’s “User Mappings” feature transmits clear-text credentials to the attacker’s server. 

This attack preys on organizations using LDAP for centralized user authentication, requiring:

• Valid LDAP configuration on the printer for normal operations
• Compromise of the printer’s admin credentials (default or weak passwords)
• Network access to modify LDAP server settings

Security analysts demonstrated the attack using a Python-based LDAP listener, capturing credentials in real time during printer-initiated authentication requests. 

The harvested credentials could grant attackers access to enterprise directories containing sensitive user attributes and permissions.

SMB/FTP Credential Interception (CVE-2024-12511)

The secondary vulnerability targets the printer’s scan-to-network functionality. Attackers modifying SMB/FTP server entries in the device’s address book can redirect file scans to malicious hosts. This technique captures:

• NetNTLMv2 hashes when using SMB, enabling relay attacks against Active Directory
• Clear-text credentials if FTP authentication is configured

Metasploit’s auxiliary/server/capture/smb module can harvest NetNTLMv2 challenges, which attackers then crack offline or relay to domain-joined systems. 

Researchers’ testing showed successful compromise of domain admin accounts when printers used privileged service accounts for scan-to-folder workflows.

Enterprise Impact and Attack Scenarios

These vulnerabilities present critical risks due to:

• Lateral Movement Potential: Compromised domain credentials enable attackers to pivot from printers to file servers, ERP systems, and cloud resources.

Persistence Opportunities: Captured SMB hashes facilitate golden ticket attacks and persistent AD footholds.

Physical Access Exploitation: Attackers could execute attacks locally via the printer’s control panel without needing network access.

In one demonstrated attack chain, researchers gained admin access via default credentials (Xerox devices often retain factory defaults), modified LDAP settings to attacker IP, triggered LDAP sync via “Test Connection” feature and used captured credentials to access HR databases containing PII.

Mitigation Strategies 

Xerox released patched firmware (version 57.69.92+) addressing both CVEs. If immediate patching isn’t feasible:

• Rotate all printer service account passwords
• Disable unused protocols (FTP/SMBv1) via administrative console
• Implement network segmentation restricting printer communication to essential ports
• Enable MFA for printer administrative access

With patched firmware now available, organizations must act swiftly to close this attack vector before threat actors exploit these vulnerabilities in the wild.