CVE-2018-18006
📋 TL;DR
CVE-2018-18006 involves hardcoded credentials in Ricoh myPrint applications that allow attackers to access the myPrint WSDL API without authentication. This exposes sensitive information including Google cloud printer API secrets, encrypted mail server passwords, and printed file names. Affected users include anyone running vulnerable versions of Ricoh myPrint for Windows or Android.
💻 Affected Systems
- Ricoh myPrint
📦 What is this software?
Myprint by Ricoh
Myprint by Ricoh
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of connected cloud printers, mail servers, and access to all printed documents, potentially leading to data exfiltration, unauthorized printing, and credential theft.
Likely Case
Unauthorized access to printed document metadata, exposure of printer configurations, and potential access to mail server credentials.
If Mitigated
Limited exposure if API endpoints are not internet-accessible and network segmentation prevents lateral movement.
🎯 Exploit Status
Exploitation requires network access to the myPrint WSDL API endpoint. Public proof-of-concept demonstrates information disclosure.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Later versions than those listed
Vendor Advisory: https://www.ricoh.com/info/2018/1128_1/
Restart Required: Yes
Instructions:
1. Uninstall vulnerable myPrint versions. 2. Download and install the latest version from Ricoh's official website. 3. Restart the system.
🔧 Temporary Workarounds
Network Isolation
windowsBlock external access to myPrint API endpoints using firewall rules.
netsh advfirewall firewall add rule name="Block myPrint API" dir=in action=block protocol=TCP localport=8080
Application Removal
windowsUninstall the vulnerable myPrint application if not required.
appwiz.cpl
🧯 If You Can't Patch
- Segment network to restrict myPrint API access to trusted internal networks only.
- Monitor network traffic to/from myPrint API endpoints for unauthorized access attempts.
🔍 How to Verify
Check if Vulnerable:
Check installed myPrint version in Windows Programs and Features or Android App Info. If version matches affected versions, system is vulnerable.Check Version:
On Windows: Check via Programs and Features. On Android: Settings > Apps > myPrint > App Info.Verify Fix Applied:
Verify myPrint version is updated to a version later than 2.9.2.4 (Windows) or 2.2.7 (Android).📡 Detection & Monitoring
Log Indicators:
- Unusual API access patterns to myPrint WSDL endpoints
- Authentication attempts using hardcoded credentials
Network Indicators:
- External connections to myPrint API ports (typically 8080)
- Unencrypted sensitive data transmission
SIEM Query:
source="myPrint" AND (event_type="api_access" OR credential_use="hardcoded")🔗 References
- http://packetstormsecurity.com/files/150399/Ricoh-myPrint-Hardcoded-Credentials-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2018/Nov/46
- http://packetstormsecurity.com/files/150399/Ricoh-myPrint-Hardcoded-Credentials-Information-Disclosure.html
- http://seclists.org/fulldisclosure/2018/Nov/46
