CVE-2020-36201
📋 TL;DR
Xerox WorkCentre multifunction printers store passwords without proper encryption, allowing attackers with physical or network access to extract credentials. This affects specific ConnectKey-enabled WorkCentre models listed in the CVE. Attackers could gain unauthorized access to device administration or connected services.
💻 Affected Systems
- Xerox WorkCentre 3655
- Xerox WorkCentre 3655i
- Xerox WorkCentre 58XX
- Xerox WorkCentre 58XXi
- Xerox WorkCentre 59XX
- Xerox WorkCentre 59XXi
- Xerox WorkCentre 6655
- Xerox WorkCentre 6655i
- Xerox WorkCentre 72XX
- Xerox WorkCentre 72XXi
- Xerox WorkCentre 78XX
- Xerox WorkCentre 78XXi
- Xerox WorkCentre 7970
- Xerox WorkCentre 7970i
- Xerox WorkCentre EC7836
- Xerox WorkCentre EC7856
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Attackers extract administrative credentials, gain full control of devices, access connected network resources, and potentially pivot to other systems using stolen credentials.
Likely Case
Local or network attackers extract stored passwords, compromise device administration, and access sensitive documents or configuration data.
If Mitigated
With proper network segmentation and access controls, impact limited to isolated printer network segment.
🎯 Exploit Status
Exploitation requires access to device storage or memory. No public exploit code available, but vulnerability is straightforward to exploit with appropriate access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware updates with security fixes (specific versions in vendor advisory)
Vendor Advisory: https://securitydocs.business.xerox.com/wp-content/uploads/2020/06/cert_Security_Mini_Bulletin_XRX20L_for_ConnectKey-1.pdf
Restart Required: Yes
Instructions:
1. Download latest firmware from Xerox support portal. 2. Upload firmware to device via web interface. 3. Apply update. 4. Reboot device. 5. Verify firmware version.
🔧 Temporary Workarounds
Network segmentation
allIsolate printers on separate VLAN with restricted access
Access control hardening
allRestrict administrative access to specific IP addresses and use strong unique passwords
🧯 If You Can't Patch
- Segment printers on isolated network with strict firewall rules
- Implement monitoring for unauthorized access attempts to printer management interfaces
- Regularly rotate administrative credentials
- Disable unnecessary services and interfaces
🔍 How to Verify
Check if Vulnerable:
Check device firmware version against patched versions in vendor advisory. Devices with firmware prior to security update are vulnerable.Check Version:
Access device web interface > Settings > Device Information > Firmware VersionVerify Fix Applied:
Verify firmware version matches or exceeds patched version listed in Xerox security bulletin.📡 Detection & Monitoring
Log Indicators:
- Unauthorized access to device configuration pages
- Multiple failed login attempts
- Firmware modification events
Network Indicators:
- Unusual traffic to printer management ports (80, 443, 9100)
- Credential dumping attempts
SIEM Query:
source="printer_logs" AND (event="configuration_access" OR event="firmware_update")