The United States Computer Emergency Readiness Team (US-CERT) has issued a warning about the threat posed by hard-coded passwords on some Samsung and Dell printers.
The CERT advisory warns that a remote attacker can use the hard-coded password to gain administrative privileges, view sensitive device and network information as well as credentials and other data passed to the printer. While experts say the threat posed by endpoint devices such as printers is minimal, they could be leveraged by an attacker to gain access to more critical systems.
"Secondary impacts include: the ability to make changes to the device configuration, access to sensitive information … and the ability to leverage further attacks through arbitrary code execution," according to the CERT advisory issued on Monday.
The issue impacts Samsung printers and some Dell printers manufactured by Samsung, according to CERT. The affected devices "contain a hard-coded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility."
Models released after October 31, 2012 are not affected by this vulnerability. Samsung said that it will be release a patch tool later this year to address vulnerable devices, according to the advisory.
Embedded device security has slowly gained interest at enterprises dealing with extremely sensitive data or concerned about protecting intellectual property. Last year, a team of researchers from Columbia University's Department of Computer Science issued a study that warned that tens of millions of Hewlett-Packard printers were vulnerable to attack. Vulnerabilities in embedded devices, such as network printers, scanners and copiers, are typically difficult to patch, experts say. Instead, organizations can take steps to limit access to the devices.
A good security practice is to restrict access, only allowing connections from trusted hosts and networks. "Restricting access would prevent an attacker from accessing an SNMP interface using the affected credentials from a blocked network location," CERT said.
~Robert Westervelt
