CVE-2019-18629
📋 TL;DR
This vulnerability allows attackers to execute arbitrary binaries on affected Xerox multifunction printers by creating and signing malicious clone files with compromised private keys. Attackers can gain unauthorized code execution on the printer devices. Affected systems include specific Xerox AltaLink and C80 series printers with software releases before 101.00x.099.28200.
💻 Affected Systems
- Xerox AltaLink B8045
- Xerox AltaLink B8055
- Xerox AltaLink B8065
- Xerox AltaLink B8075
- Xerox AltaLink B8090
- Xerox C8030
- Xerox C8035
- Xerox C8045
- Xerox C8055
- Xerox C8070
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete compromise of printer device allowing persistent backdoor installation, data exfiltration from scanned documents, lateral movement to connected networks, and use as attack platform.
Likely Case
Unauthorized code execution on printer leading to data theft, device disruption, or use in further attacks against the network.
If Mitigated
Limited impact if printers are isolated from critical networks and regularly updated.
🎯 Exploit Status
Exploitation requires creating a signed clone file with compromised private key, which adds complexity but is feasible for determined attackers.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 101.00x.099.28200 or later
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX19AI_for_ALB80xx-C80xx_v1.1.pdf
Restart Required: Yes
Instructions:
1. Access printer web interface. 2. Navigate to Settings > General Settings > Software Update. 3. Upload firmware version 101.00x.099.28200 or later. 4. Apply update and restart printer.
🔧 Temporary Workarounds
Network segmentation
allIsolate printers on separate VLAN with restricted access to prevent exploitation from general network.
Disable clone feature
allDisable clone installation functionality if not required for operations.
🧯 If You Can't Patch
- Segment printers on isolated network with strict firewall rules
- Monitor for unauthorized clone file uploads and unusual printer behavior
🔍 How to Verify
Check if Vulnerable:
Check printer firmware version via web interface: Settings > General Settings > About. Compare version against 101.00x.099.28200.Check Version:
Not applicable - use printer web interface or display panelVerify Fix Applied:
Verify firmware version shows 101.00x.099.28200 or higher after update.📡 Detection & Monitoring
Log Indicators:
- Unauthorized clone file upload attempts
- Unexpected binary execution events
- Firmware modification logs
Network Indicators:
- Unusual network traffic from printer to unexpected destinations
- Clone file transfer to printer
SIEM Query:
source="printer_logs" AND (event="clone_install" OR event="firmware_update") AND user!=authorized_user🔗 References
- https://security.business.xerox.com
- https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX19AI_for_ALB80xx-C80xx_v1.1.pdf
- https://security.business.xerox.com
- https://securitydocs.business.xerox.com/wp-content/uploads/2021/03/cert_Security_Mini_Bulletin_XRX19AI_for_ALB80xx-C80xx_v1.1.pdf
