SCADAfence Researchers Discover A Sensitive Information Leak Vulnerability in Canon Printers

As part of our mission to secure the world’s OT, IoT and Cyber Physical infrastructures, we invest resources into offensive research of vulnerabilities and attack techniques.

CVE-2020-16849 is a remote information disclosure vulnerability in Canon printers that was discovered by SCADAfence researchers Maayan Fishelov, Dan Haim and Ofer Shaked.

The vulnerability allows a remote attacker to leak the address book and administrator password, unauthenticated, over the network.

Canon is one of the world’s leaders in cameras, photocopiers, printers and broadcasting equipment. SCADAfence has been working with Canon for the last few months in handling this vulnerability, and on October 1st, Canon published an official security advisory reporting this vulnerability and its mitigations.

About The CVE-2020-16849 Vulnerability

The vulnerability exists inside the printer’s IP protocol stack, which is used by Canon Laser Printers and Small Office Multifunctional Printers. 

The potential for a third-party attack exists on the devices when they’re connected to a network that allows fragments of the “Address book” or/and “administrator password” to be acquired through an unsecured network. It should be noted that when HTTPS is used for the communication of Remote UI, data is secured by encryption.

To date, there have been no confirmed cases of the vulnerability being exploited to cause harm. However, in order to ensure that Canon’s customers can use their products securely, new firmware will be available for affected Canon products.

What SCADAfence Recommends Vendors To Do

Prevent Unauthorized and Untrusted Access

- Use a firewall or virtual private network (VPN), etc. to prevent unauthorized access when Internet access is required.

- Use within a LAN and block access from untrusted networks and hosts through firewalls.

 

Perform an IoT Vulnerability Management Process

Tools such as the SCADAfence IoT Security platform can help you identify vulnerable devices.

Monitor for Unauthorized Network Activity and Exploitation

Some devices will always remain unpatched. Monitoring is an early warning system that allows you to act before attackers have gained full control over your network.

Upgrade to the Latest Firmware

Canon issued a new firmware that users are able to upgrade to.

  

Special Thanks & Recognition

The SCADAfence Research team would like to thank the Canon team for a speedy vulnerability reporting process even during the challenging COVID-19 times.

SCADAfence is committed to continued research of offensive technologies and development of new defensive technologies.

 

Exploit PoC

We wrote a Python POC (GPLv3) script of the exploit in action. The exploit is only available for educational and legal research purposes.

Warning: The script might crash the printer - do not use it in production.

To get this python exploit, please send an email to research@scadafence.com, identify yourself and explain how you’re going to use the exploit.

We reserve the right to refuse any request.