Brother Multifunction Printers eSCL Protocol Serial Number Discovery Vulnerability

A vulnerability exists in Brother multifunction printers that use a specific firmware, allowing serial numbers to be retrieved over the local network via the eSCL protocol. This serial number can then be used to exploit another vulnerability, CVE-2024-51978, to calculate the default administrator password for the printer. The issue arises because the eSCL/uscan vector is typically only exposed on the local network, but can be exploited using a discovery service that implements the eSCL specification, such as runZero Explorer.

Impact

Exploitation of this vulnerability allows for the unauthorized discovery of a printer's serial number, which can be used to calculate the default administrator password. If the default password has not been changed, this could lead to unauthorized control over the printer.

Reproduction

The vulnerability can be reproduced by using a runZero Explorer, which can be installed on various operating systems including Windows, Linux, macOS, and BSD variants. Once the Explorer is installed and running, it can be used to scan the local network for Brother printers that are using the vulnerable firmware. The Explorer will automatically retrieve the serial numbers of these printers via the eSCL protocol.

Remediation

Users are advised to change the default administrator password using the Web Based Management interface. For models affected by CVE-2024-51978, which cannot be fully remediated through a firmware update, Brother has provided a workaround.