A security flaw in web front-end of Brother printers is leaving them wide open to Denial of Service attacks that may render them inaccessible for long periods.
Brother has not released a patch to fix the security flaw despite repeated reminders from security experts, thereby leaving customers in the lurch.
Brother UK, which has been recognised by PC Pro as its best printer brand for the fourth consecutive year, has failed to patch a critical security flaw in its printers that’s leaving them wide open to sophisticated DDoS attacks.
According to security firm Trustwave who discovered the flaw, there are a little over 16,000 vulnerable Debut series printers that are accessible from the Internet.
The firm said that despite repeated reminders to Brother, no patch has been released so far. As such, administrators need to take steps like implementing strict access control and using firewalls to ensure that their printers aren’t targeted by malicious actors until Brother releases a patch.
Researchers at Trustwave added that a hacker can launch a DDoS attack on vulnerable printers by sending a single malformed HTTP POST request. In response, the web server will generate a 500 error code and will be rendered inaccessible to users.
‘The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP request can cause the server to hang until eventually replying with an HTTP 500 error.
‘While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic,’ they added.
The researchers also explained the damage a hacker can inflict on an organisation by exploiting the said security flaw in Brother’s Debut-series printers.
‘Some people dismiss Denial of Service attacks as a mere nuisance, but they can tie up resources and reduce productivity at any organization. They can also be used as a part of an in-person attack on a organization.
‘For instance, an attacker can launch a Denial of Service like this one and then show up at the organization as the “technician” called to fix the problem. Impersonating a technician would allow the attacker direct physical access to IT resources that they might never have been able to access remotely,’ they added.