CVE-2022-23968 – This vulnerability allows remote attackers to c... (How to Fix)

Q: What is the severity of CVE-2022-23968?

CVE-2022-23968 has a CVSS score of 7.5 (HIGH). This vulnerability allows remote attackers to cause permanent denial of service on Xerox VersaLink devices by sending a crafted TIFF file via unauthenticated HTTP POST requests. The attack puts affected printers into an unrecoverable boot loop, requiring physical intervention by a technician to restore functionality. Organizations using vulnerable Xerox VersaLink printer firmware versions are affected.

📋 TL;DR

This vulnerability allows remote attackers to cause permanent denial of service on Xerox VersaLink devices by sending a crafted TIFF file via unauthenticated HTTP POST requests. The attack puts affected printers into an unrecoverable boot loop, requiring physical intervention by a technician to restore functionality. Organizations using vulnerable Xerox VersaLink printer firmware versions are affected.

💻 Affected Systems

Products:

Xerox VersaLink printers

Versions: Firmware versions xx.42.01 and xx.50.61 (and potentially earlier versions according to some reports)

Operating Systems: Embedded printer firmware

Default Config Vulnerable: ⚠️ Yes

Notes: Vendor states latest firmware versions are not vulnerable, conflicting with initial reports suggesting all versions were affected.

📦 What is this software?

Versalink Firmware by Xerox

View all CVEs affecting Versalink Firmware →

Versalink Firmware by Xerox

View all CVEs affecting Versalink Firmware →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Attackers can remotely brick all vulnerable printers in an organization, causing complete printing service disruption until field technicians physically service each device.

🟠

Likely Case

Targeted attacks against specific organizations or opportunistic attacks against internet-exposed printers causing service disruption.

🟢

If Mitigated

Minimal impact with proper network segmentation and updated firmware.

🌐 Internet-Facing: HIGH - Unauthenticated remote exploitation allows attackers to brick devices from anywhere on the internet.

🏢 Internal Only: MEDIUM - Internal attackers or compromised internal systems could exploit this, but requires network access to printer management interfaces.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploit requires crafting a TIFF file with an incomplete Image Directory and sending via HTTP POST. Public details and proof-of-concept exist in security articles.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware versions after 2022-01-26

Vendor Advisory: Not explicitly provided in references, but vendor acknowledged issue on 2022-01-26

Restart Required: Yes

Instructions:

1. Check current firmware version on Xerox VersaLink devices. 2. Download latest firmware from Xerox support portal. 3. Upload and install firmware update via printer web interface. 4. Reboot printer after installation.

🔧 Temporary Workarounds

Network segmentation

all

Isolate printers on separate VLANs with strict firewall rules blocking external access to printer management interfaces.

Disable external HTTP access

all

Configure firewall to block inbound HTTP/HTTPS traffic to printer management interfaces from untrusted networks.

🧯 If You Can't Patch

Implement strict network access controls to limit HTTP POST requests to printer interfaces only from authorized management systems.
Monitor printer reboot logs and network traffic for unusual HTTP POST requests containing TIFF files.

🔍 How to Verify

Check if Vulnerable:

Check firmware version via printer web interface (Settings > Device > About) and compare against vulnerable versions xx.42.01 and xx.50.61.

Check Version:

Not applicable - check via printer web interface or physical display panel

Verify Fix Applied:

Verify firmware version is newer than 2022-01-26 release and test HTTP POST functionality to confirm normal operation.

📡 Detection & Monitoring

Log Indicators:

Repeated printer reboots
HTTP POST requests to printer with TIFF file uploads
Failed image parsing errors in printer logs

Network Indicators:

HTTP POST requests to printer management ports (typically 80/443) with TIFF file content
Unusual source IPs accessing printer interfaces

SIEM Query:

source="printer_logs" AND (event="reboot" OR event="crash") OR destination_port IN (80, 443) AND http_method="POST" AND content_type="image/tiff"

📊 Metadata

CVE ID: CVE-2022-23968

CVSS v3 Score: 7.5 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

CWE: CWE-835

Published: January 26, 2022

Last Updated: November 21, 2024

🔗 References

https://neosmart.net/blog/2022/xerox-vulnerability-allows-unauthenticated-network-users-to-remotely-brick-printers/ Exploit,Third Party Advisory
https://twitter.com/mqudsi/status/1485756915187695618 Third Party Advisory
https://neosmart.net/blog/2022/xerox-vulnerability-allows-unauthenticated-network-users-to-remotely-brick-printers/ Exploit,Third Party Advisory
https://twitter.com/mqudsi/status/1485756915187695618 Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2022-23968, you might also want to check these: