CVE-2021-38154 Scanner

Canon Devices are widely used in corporate environments for functions like printing, scanning, copying, and faxing. These devices often come with network features to enable remote management and configuration. Canon has been producing these devices for decades, offering products that range from small office devices to large enterprise-scale printers. The devices often integrate with other IT systems for streamlined operations, including document management and distribution. Administrators use Canon Devices for efficient document workflow processes in various sectors including education, healthcare, and corporate settings. The introduction of web-based and remote management features in recent models has enhanced the flexibility and usability of these devices.

The vulnerability detected allows attackers to bypass authentication controls on Canon Devices, particularly when Catwalk Server is enabled for HTTP access. This authentication bypass occurs when a PIN is not required for General User Mode, which could be exploited by remote attackers. The vulnerability leads to unauthorized modifications in settings, potentially allowing attackers to access or modify sensitive device configurations. This weakness could also facilitate unauthorized network access or the interception of sensitive information. The exploitation of this vulnerability has been observed in the wild, particularly in cases where incoming FAX information was sent to unauthorized parties. The severity of this issue relates to the potential unauthorized access to sensitive data without requiring user authentication.

Technical details reveal that attackers can exploit endpoints such as /tryLogin.cgi and /checkLogin.cgi to bypass authentication. The vulnerability is evident in the ability to manipulate HTTP POST requests to these endpoints. Successful exploitation is confirmed by receiving specific HTTP status codes like 302 or 303 and the presence of certain cookies in responses, indicating session initiation. The vulnerable parameters can be crafted within the POST requests to manipulate the system state and achieve unauthorized access. By exploiting this flaw, attackers can gain admin control over affected devices, further exacerbating the security risk.

Exploitation of this vulnerability could lead to several adverse effects, such as unauthorized access to administrative functions and sensitive data. Attackers might intercept faxes and emails intended for legitimate users, leading to data breaches. This unauthorized control may also allow the attacker to tamper with device settings, disrupting business operations and causing reputational damage. In the worst cases, attackers could leverage the access to distribute malware or perform further network infiltration. Organizations might face regulatory compliance issues due to the inadvertent exposure of confidential information.

REFERENCES

• https://protocolpolice.nl/CVE-2021-38154_Protocol_Police_Catwalk_Alert
• https://www.usa.canon.com/internet/portal/us/home/support/product-advisories
• https://nvd.nist.gov/vuln/detail/CVE-2021-38154