yvanrodrigues.com

[Yvan]

Scope: Many and possibly all Ricoh connected printers/copiers on campus. Specifically tested on models AF1027, AF1045, CL7000.

Overview: Default configuration allows anonymous users to change printer settings and possibly overwrite firmware allowing execution of code

Detail: While walking the SNMP tree for a Ricoh printer I found it odd that the private (writable) SNMP password was staring at me. Specifically an SNMP get message to .1.3.6.1.4.1.367.3.2.1.7.3.1.5.1.2.2 will return the private community name, even if it has been changed from the default password by an administrator.

Background: Most printers allow management using SNMP which is enabled by default. Most SNMP implementations use two passwords (called communities), one for read-only use (often set to "public") and one for read/write use (often set to "private" or "admin"). Queries made using the public community name should not return confidential data.

Workaround: Change the public community name to a secret value and use this for SNMP read-only queries. Note: This will result in the inability to use Ricoh management tools such as SmartDeviceMonitor which expect the public community name to be set to "public" and do not offer a way of changing this on the client. An alternative workaround would be to put the printer on a private trusted network or behind a NAT/firewall that has been configured to disallow the UDP SNMP port. I have not yet confirmed whether or not the the built-in IP security facilty (i.e. restricting TCP/IP communications to selected addresses or address ranges) restricts SNMP traffic.

This issue has been reported to Ricoh.

Discovered: April 4, 2005 by Yvan Rodrigues, University of Waterloo Graphics

[Yvan]

Furthermore it appears that one can make setting changes via SNMP using the public community name, i.e. the private cmty name is not needed.

These vulnerabilities are detected by Yvan's Multiple Printer Vulnerability Scanner, available in my software section.