Enterprises with Kyocera printers open to path traversal attacks

Multi-function printer (MFP) devices and software provider Kyocera Document Solutions has a path traversal vulnerability in its web-based device manager tool used for managing large printer fleets in mid-to-large sized enterprises, according to Trustwave.

Tracked as CVE-2023-50916, the vulnerability allows an attacker to intercept access and change the local path, set on the web application as a backup location, to a Universal Naming Convention (UNC) path, attempting to authenticate an attacker-controlled share.

While a local path refers to the location of a file or directory on the local file system of a specific computer, a UNC path specifies the location of a shared resource on a network.

“Upon receiving the UNC path, Kyocera Device Manager will attempt to confirm the access and then will try to authenticate the UNC path,” Kyocera said in a security update. “The attacker can possibly exploit UNC path authentication.”

The attacker must be on the same network as the Kyocera Device Manager to exploit this vulnerability.

Using interception proxy for path traversal

The Kyocera Device Manager administrative application allows administrators to configure the backup location of the database used by the application. Attempting to change this location to a UNC path using the GUI is rejected by the application due to the use of backslashes (“”) as a disallowed path, according to Trustwave.

While performing penetration testing, however, a Trustwave researcher was able to intercept and modify the access request using a web interception proxy (Burp suite) or by sending the request directly to the application endpoint. This allowed UNC paths to be set as backup locations.

“Trustwave SpiderLab’s Senior Technical Specialist, Jordan Hedges, discovered an improper input validation for the “path” parameter accepted by the “/backup-restore-service/config/backup-path” endpoint which handles requests from the UI to set the database backup location,” Trustwave said in a blog post. “He submitted a backup path that would pass the UI validation and then intercepted the client request post-validation to alter the path parameter value to a UNC path under his control.”

While there is no workaround to this vulnerability, Kyocera has rolled out a security update with a patch that implements a validation function, that if a path is changed to an invalid path, the invalid path is ignored and the original valid path is still applied.

The affected devices include the ones running the unpatched latest version of Kyocera’s Device Manager that supports installation on Windows Server 2012/2016/2019/2022 and Windows 10 and Windows 11.

UNC authentication attempts can allow credential relaying

Attempting to set the UNC path for the backup location triggers the device manager to initiate authenticating the share through NTLM (NT LAN Manager) protocols which, depending on a certain system configuration, allows credentials leakage.

Credentials leakage here refers to the capture or relay of Active Directory hashed credentials if the “Restrict NTLM: Outgoing NTLM traffic to remote servers” security policy is not enabled, according to the post.

“Once the location is updated Kyocera Device Manager attempts to confirm access and will try to authenticate to the UNC path, depending on configuration of the environment this may authenticate to the UNC share specified with Windows NTLM hashes,” Trustwave said. “This could allow NTLM credential relaying or cracking attacks.”

“If the attacker successfully obtains the authentication information, they can gain unauthorized access to clients’ accounts, steal data, or carry out malicious activities on Kyocera product devices,” Kyocera said in the update.

Trustwave urges Kyocera customers to immediately update to the latest release of the device manager application to protect against exploitation. “As part of Trustwave SpiderLab’s Coordinated Disclosure Policy, we reported this vulnerability to Kyocera, who fixed it in version 3.1.1213.0,” TrustWave added. 


Go to Source