This instructs the printer to prepare an address book object to be downloaded containing all sensitive data configured in the address book. The screenshot below describes submitting an unauthenticated SOAP request to that service, `POST /ws/km-wsdl/setting/address_book` with the described XML. In order to exploit the vulnerability, an attacker need only be on a network that can reach the MFP's listening SOAP service on port 9091/TCP. Those address books, in turn, contain stored email addresses, usernames, and passwords, which are normally used to store scanned documents on external services or send to users over email. While the API supports authentication, and the thick client performs this authentication, while capturing the SOAP requests, it was observed that the specific request to extract an address book, `POST /ws/km-wsdl/setting/address_book` does not require an authenticated session to submit. Kyocera exposes a SOAP API on port 9091/TCP used for remote printer management via the Net Viewer thick client application. It is being disclosed in accordance with Rapid7's vulnerability disclosure policy. This issue, CVE-2022-1026, was discovered by security researcher Aaron Herndon of Rapid7.
These printers can be routinely found in both home office and enterprise environments around the world. Two such supported and tested models of MFPs are the ECOSYS M2640idw and the TASKalfa 406ci. Many Kyocera multifunction printers (MFPs) can be administered using Net Viewer. This vulnerability is an instance of CWE-522: Insufficiently Protected Credentials, and has an estimated base CVSS 3.1 score of 8.6, given that the credentials exposed are used to authenticate to other endpoints, such as external FTP and SMB servers. Rapid7 researcher Aaron Herndon has discovered that several models of Kyocera multifunction printers running vulnerable versions of Net View unintentionally expose sensitive user information, including usernames and passwords, through an insufficiently protected address book export function.
0 kommentar(er)
