Endpoint Security

Kyocera Printers Open to Path Traversal Attacks

Path Traversal Flaw Allows Malicious Actors to Exploit Kyocera's Device Manager
Kyocera Printers Open to Path Traversal Attacks
Researchers identified a path traversal vulnerability in Kyocera's Device Manager. (Image: Shutterstock)

Researchers found a path traversal vulnerability in Kyocera's Device Manager product, which is used for overseeing large printer fleets in mid- to large-sized enterprises.

See Also: Live Webinar | Is Your Organization Ready for the Next Wave of Endpoint Security Modernization?

The U.S. subsidiary of the Japanese company's office imaging division said exploiting the vulnerability requires an attacker to be logged onto a network "in order to take advantage and pose a real risk."

Researchers at cybersecurity firm Trustwave first disclosed the flaw in a Monday blog post. Kyocera released a patch in late December.

The vulnerability, tracked as CVE-2023-50916, is a path traversal attack. Attackers can change the local path for the backup database, promoting the print manager software to confirm access and authenticate the path.

Trustwave said Kyocera had a safeguard in place - the software GUI rejects attempts to redefine the backup database path if the new address has a slash in it - in other words, if the new path points to a networked resource called via the universal naming convention standard. Researchers got around the restriction by using a web interception proxy or by sending the new path request directly to the application endpoint.

With the new path established to an attacker-controlled networked resource, the Kyocera software responds by authenticating the path. Trustwave said that, depending on the IT environment, the authentication message includes hashed Active Directory credentials. The NTLM hashes would be included if Windows administrators did not enable the Network Security: Restrict NTLM: Outgoing NTLM traffic to remote servers policy.

About the Author

Prajeet Nair

Prajeet Nair

Assistant Editor, Global News Desk, ISMG

Nair previously worked at TechCircle, IDG, Times Group and other publications, where he reported on developments in enterprise technology, digital transformation and other issues.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing govinfosecurity.com, you agree to our use of cookies.