CVE-2019-10881
📋 TL;DR
Xerox AltaLink multifunction printers have two hard-coded accounts with weak passwords that cannot be disabled. Attackers can use these credentials to gain unauthorized administrative access to affected devices. This affects specific AltaLink B and C series models running software before version 103.xxx.030.32000.
💻 Affected Systems
- Xerox AltaLink B8045
- Xerox AltaLink B8055
- Xerox AltaLink B8065
- Xerox AltaLink B8075
- Xerox AltaLink B8090
- Xerox AltaLink C8030
- Xerox AltaLink C8035
- Xerox AltaLink C8045
- Xerox AltaLink C8055
- Xerox AltaLink C8070
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Full administrative control of the printer, allowing attackers to steal scanned documents, modify device settings, install malicious firmware, and use the device as a network pivot point.
Likely Case
Unauthorized access to printer functions, document theft, configuration changes, and potential use as an internal network foothold.
If Mitigated
Limited impact if devices are isolated from critical networks and regular monitoring detects unauthorized access attempts.
🎯 Exploit Status
Exploitation requires knowledge of the hard-coded credentials but is trivial once obtained. The Airbus research suggests these credentials may be publicly known.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 103.xxx.030.32000 or later
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX20I_for_ALB80xx-C80xx.pdf
Restart Required: Yes
Instructions:
1. Download firmware update from Xerox support portal. 2. Upload firmware to printer via web interface. 3. Apply update. 4. Reboot printer. 5. Verify new firmware version.
🔧 Temporary Workarounds
Network segmentation
allIsolate printers on separate VLAN with strict firewall rules limiting access to necessary services only.
Access control lists
allImplement IP-based restrictions on printer management interfaces to allow only authorized administrative stations.
🧯 If You Can't Patch
- Segment printers on isolated network with no internet access
- Implement strict firewall rules blocking all unnecessary ports to printers
🔍 How to Verify
Check if Vulnerable:
Check printer firmware version via web interface: Settings > Device > About. If version is below 103.xxx.030.32000, device is vulnerable.Check Version:
Not applicable - check via printer web interfaceVerify Fix Applied:
Verify firmware version is 103.xxx.030.32000 or higher via web interface. Test that hard-coded credentials no longer work.📡 Detection & Monitoring
Log Indicators:
- Failed login attempts followed by successful logins from unusual IPs
- Configuration changes from non-standard administrative accounts
- Multiple authentication attempts using known hard-coded usernames
Network Indicators:
- Unusual network traffic patterns from printer to internal/external systems
- Administrative access from unauthorized IP addresses
SIEM Query:
source="printer_logs" (event_type="authentication" AND (username="[hardcoded_user1]" OR username="[hardcoded_user2]")) OR (event_type="configuration_change" AND source_ip NOT IN [admin_ips])