2mo ago

Some Brother printers have a remote code execution vulnerability, and they can’t fix it

www.rapid7.com

Rapid7

Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models.

7 comments

The most serious of the findings is the authentication bypass CVE-2024-51978. A remote unauthenticated attacker can leak the target device's serial number through one of several means, and in turn generate the target device's default administrator password. This is due to the discovery of the default password generation procedure used by Brother devices. This procedure transforms a serial number into a default password. Affected devices have their default password set, based on each device's unique serial number, during the manufacturing process. Brother has indicated that this vulnerability cannot be fully remediated in firmware, and has required a change to the manufacturing process of all affected models.
So the fix for this "can't be fixed" issue is to change the default password yourself, which you should be doing anyway.
- They should have a separate severity rating for "is this actually likely to impact admins who aren't complete idiots".
They're really lacking in imagination then. They could issue a firmware update that checks if the password has been changed from the default, and if not, prints a page informing the user that they must update the default password.
They can't fix this but they can stop us from using third-party toner. I see their priorities 🙄
- The toner thing was based entirely in a single 3 year old unverified Reddit post. There is zero evidence that Brother has ever blocked 3rd party toner, and plenty of evidence that 3rd party toner works just fine, even with the most recent firmware. These rumors need to stop.
Et tu, Brother?
Don't leave your admin password at the default. It's at simple as that. Setting a non-default admin password completely mitigates this attack.

7 comments