Multiple Brother Devices Vulnerabilities Open Devices for Hacking
A comprehensive security research investigation has unveiled eight critical vulnerabilities affecting 742 printer and multifunction device models across four major manufacturers.
The discovery, stemming from a zero-day research project conducted by cybersecurity firm Rapid7, exposes severe security flaws in Brother Industries’ printer ecosystem that extend beyond the manufacturer’s own devices to impact models from FUJIFILM Business Innovation, Ricoh, and Toshiba Tec Corporation.
The vulnerabilities range from information disclosure to complete device compromise, with the most severe being an authentication bypass flaw assigned CVE-2024-51978 that carries a critical CVSS score of 9.8.
.png
"Multiple Brother Devices Vulnerabilities Open Devices for Hacking 2")
This particular vulnerability enables remote unauthenticated attackers to generate default administrator passwords by exploiting a predictable password generation algorithm that transforms device serial numbers into authentication credentials.
The flaw is so fundamental to the manufacturing process that Brother has indicated it cannot be fully remediated through firmware updates alone, requiring changes to the production pipeline for complete mitigation.
The scope of the security exposure is unprecedented in the printer security landscape, affecting 689 Brother devices alongside dozens of models from partner manufacturers.
Rapid7 analysts identified these vulnerabilities through extensive testing of multifunction printers, discovering attack vectors that span multiple network protocols including HTTP, HTTPS, IPP, PJL, and web services.
The research methodology involved detailed analysis of firmware components, protocol implementations, and authentication mechanisms across the affected device families.
The vulnerability cluster creates multiple attack pathways that can be chained together for maximum impact. An attacker can leverage CVE-2024-51977 to leak sensitive device information including serial numbers, then utilize CVE-2024-51978 to generate administrative credentials, and finally exploit CVE-2024-51979 for stack-based buffer overflow attacks that could lead to remote code execution.
This attack chain transforms what might appear as moderate individual vulnerabilities into a critical security threat when combined systematically.
Authentication Bypass and Default Password Generation Mechanism
The most significant vulnerability in this collection, CVE-2024-51978, exposes a fundamental flaw in Brother’s device security architecture through its predictable default password generation system.
During the manufacturing process, each device receives a unique default administrator password calculated using a deterministic algorithm that transforms the device’s serial number into the authentication credential.
This approach, while intended to provide unique passwords across the device fleet, creates a critical security weakness when the generation algorithm becomes known.
The attack methodology begins with serial number disclosure through multiple vectors. Attackers can obtain device serial numbers via CVE-2024-51977 through HTTP, HTTPS, or IPP services, or alternatively through direct PJL or SNMP queries that bypass the information leak vulnerability entirely.
Once the serial number is acquired, the predictable password generation algorithm allows attackers to compute the corresponding default administrator password without requiring any authenticated access to the target device.
Brother’s acknowledgment that this vulnerability cannot be fully addressed through firmware updates highlights the severity of the architectural flaw.
The company has implemented manufacturing process changes for newly produced devices while providing workarounds for existing installations.
However, devices manufactured using the original process remain fundamentally vulnerable unless administrators manually change default passwords, a step that many organizations overlook in their printer deployment procedures.
Vulnerabilities:-
| CVE | Description | Affected Service | CVSS Score |
|---|---|---|---|
| CVE-2024-51977 | An unauthenticated attacker can leak sensitive information | HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) | 5.3 (Medium) |
| CVE-2024-51978 | An unauthenticated attacker can generate the device’s default administrator password | HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) | 9.8 (Critical) |
| CVE-2024-51979 | An authenticated attacker can trigger a stack based buffer overflow | HTTP (Port 80), HTTPS (Port 443), IPP (Port 631) | 7.2 (High) |
| CVE-2024-51980 | An unauthenticated attacker can force the device to open a TCP connection | Web Services over HTTP (Port 80) | 5.3 (Medium) |
| CVE-2024-51981 | An unauthenticated attacker can force the device to perform an arbitrary HTTP request | Web Services over HTTP (Port 80) | 5.3 (Medium) |
| CVE-2024-51982 | An unauthenticated attacker can crash the device | PJL (Port 9100) | 7.5 (High) |
| CVE-2024-51983 | An unauthenticated attacker can crash the device | Web Services over HTTP (Port 80) | 7.5 (High) |
| CVE-2024-51984 | An authenticated attacker can disclose the password of a configured external service | LDAP, FTP | 6.8 (Medium) |
The coordinated disclosure process, spanning thirteen months from initial contact to public release, involved collaboration between Rapid7, Brother Industries, and Japan’s JPCERT/CC coordination center.
Seven of the eight vulnerabilities have been addressed through firmware updates, with comprehensive remediation requiring both software patches and configuration changes to fully secure affected devices across the enterprise printer landscape.
Investigate live malware behavior, trace every step of an attack, and make faster, smarter security decisions -> Try ANY.RUN now
Source link
