CVE-2018-20770
📋 TL;DR
This CVE describes a blind SQL injection vulnerability in multiple Xerox WorkCentre and ConnectKey devices. Attackers can execute arbitrary SQL commands without authentication, potentially compromising device security and data. Affected users include organizations using vulnerable Xerox multifunction printers.
💻 Affected Systems
- Xerox WorkCentre 3655
- Xerox WorkCentre 3655i
- Xerox WorkCentre 58XX
- Xerox WorkCentre 58XXi
- Xerox WorkCentre 59XX
- Xerox WorkCentre 59XXi
- Xerox WorkCentre 6655
- Xerox WorkCentre 6655i
- Xerox WorkCentre 72XX
- Xerox WorkCentre 72XXi
- Xerox WorkCentre 78XX
- Xerox WorkCentre 78XXi
- Xerox WorkCentre 7970
- Xerox WorkCentre 7970i
- Xerox ConnectKey EC7836
- Xerox ConnectKey EC7856
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete device compromise leading to data exfiltration, lateral movement to connected networks, and persistent backdoor installation.
Likely Case
Unauthorized access to device configuration, sensitive document data, and potential credential harvesting from device databases.
If Mitigated
Limited impact if devices are isolated from critical networks and have restricted administrative access.
🎯 Exploit Status
Blind SQL injection typically requires some trial and error but is well-understood by attackers. No authentication required makes exploitation straightforward.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: R18-05 073.xxx.0487.15000 or later
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2018/07/cert_Security_Mini_Bulletin_XRX18Y_for_ConnectKey_EC78xx_v1.0.pdf
Restart Required: Yes
Instructions:
1. Log into device web interface as administrator. 2. Navigate to Settings > System > Updates. 3. Check for available firmware updates. 4. Download and install R18-05 073.xxx.0487.15000 or later. 5. Reboot device after installation.
🔧 Temporary Workarounds
Network Segmentation
allIsolate vulnerable printers on separate VLAN with restricted access
Access Control Lists
allImplement firewall rules to restrict access to printer management interfaces
🧯 If You Can't Patch
- Disable remote management interfaces if not required
- Implement strict network segmentation to isolate printers from sensitive systems
🔍 How to Verify
Check if Vulnerable:
Check device firmware version via web interface: Settings > System > About. Compare version against vulnerable range.Check Version:
No CLI command. Use web interface: http://[printer-ip]/web/guest/en/websys/webArch/getStatus.cgiVerify Fix Applied:
Confirm firmware version is R18-05 073.xxx.0487.15000 or later in device settings.📡 Detection & Monitoring
Log Indicators:
- Unusual SQL error messages in device logs
- Multiple failed authentication attempts followed by SQL-like queries
- Unexpected configuration changes
Network Indicators:
- Unusual HTTP POST requests to device management endpoints
- SQL injection patterns in HTTP traffic to printer IPs
- Outbound connections from printers to unexpected destinations
SIEM Query:
source="printer_logs" AND ("sql" OR "injection" OR "syntax error") OR dest_ip="printer_ips" AND http_method="POST" AND (url_contains="config" OR url_contains="admin")