Konica Minolta bizhub Multifunction Printers LDAP Pass-Back Attack Vulnerability

A vulnerability allowing a pass-back attack via LDAP has been identified in Konica Minolta bizhub 227 Multifunction printers running version GCQ-Y3 or earlier. This vulnerability allows an authenticated attacker to reconfigure the printer's LDAP settings to point to an external LDAP service controlled by the attacker. If an LDAP password is configured on the printer, the attacker can intercept the plaintext password by forcing the printer to authenticate with the malicious LDAP service.

Impact

Exploitation of this vulnerability could lead to the unauthorized disclosure of LDAP credentials, including those for Windows Active Directory, allowing for lateral movement within an organization's network and access to critical Windows servers and file systems.

Reproduction

To reproduce this vulnerability, an authenticated attacker must access the printer's admin account and navigate to the LDAP configuration page. Once there, the attacker can change the LDAP server's IP address to one they control. After saving this change, the attacker can use the 'Check Connection' feature to test the LDAP login, which will trigger the printer to authenticate with the attacker's LDAP server. If successful, the attacker can capture the plaintext LDAP credentials using a listener on the controlled server.

Remediation

Users are advised to secure the admin password, restrict non-admin users from changing address book destinations, and avoid using LDAP accounts with elevated privileges on the multifunction printers. For more detailed guidance, consult the Konica Minolta vendor advisory.