Remote Method Found to Disable Brother Printers
Security experts from Trustwave have reported an unpatched vulnerability that allows remote attacks on thousands of Brother printers, resulting in denial of service (DoS). According to the researchers, the issue lies in the built-in Debut httpd server, which is used by some Brother models to power their web interface. The vulnerability, identified as CVE-2017-16249, is present in Debut version 1.20 and earlier.
How the Attack Works
Launching a DoS attack on vulnerable devices is relatively simple: an attacker needs to send a specially crafted HTTP POST request to the affected printer. This request causes the device’s web server to hang for an extended period, eventually returning an HTTP 500 error. While the server is trying to process the request, the printer is unable to perform its functions, and the web interface becomes inaccessible.
Experts note that it is possible to keep the device in a non-working state for a long time by continuously sending malicious requests. According to the Shodan search engine, there are at least 16,000 devices on the internet vulnerable to this type of attack.
Potential Risks for Organizations
Trustwave researchers point out that attackers could use this vulnerability for targeted attacks on organizations. The failure of most printers would certainly have a negative impact on a company’s operations. Additionally, such DoS attacks could be exploited by scammers. For example, an attacker could launch a DoS attack and then show up at the organization posing as a “technician” sent to fix the problem. By pretending to be a technician, the attacker could gain direct physical access to the organization’s IT resources, which might not have been possible remotely.
Manufacturer Response and Disclosure
Trustwave specialists notified the manufacturer about the problem back in September 2017 but did not receive any response. As a result, they decided to publish not only information about the vulnerability but also a proof-of-concept exploit for it.