Pipeline Researchers Uncovered Exposed Printers in Japan’s Universities

Usually the backbone of institutional infrastructure in the linked digital ecosystem of today is internet-connected devices. But when improperly configured or unsecured, these devices create cyberattack access imposing potential risks. Therefore, we conducted our research to use Censys to uncover exposed printed in Japanese Universities, and here’s the detailed critical insight for it.  

Among these devices, networked printers—with their administrative rights and sensitive data-handling powers—are especially important but often underused in cybersecurity audits.  

Using Censys, a reliable internet-wide scanning tool, recent results by the Pipeline Security Research Team reveal notable printer vulnerabilities throughout Japan's top universities and companies. These weaknesses expose private information, let printer settings to be remotely changed, and create dangers of illegal access and malicious uses.

Key Findings: Exposed Printers in Japan Universities

Using Censys queries, researchers identified publicly exposed printer services configured with unsafe defaults. Vulnerabilities were noted across Port 9100, Port 631 (IPP), Port 515 (LPD), Ports 139/445 (SMB), and Port 161 (SNMP). The query used to uncover initial exposures was:

(labels: printer) AND services.port=9100 AND location.country="Japan"

‍

The results provided a detailed map of publicly accessible printers, listing sensitive attributes such as IP addresses, printer models, and even administrative interfaces.

Institution-Specific Technical Insights

In the news, security researchers from the Shadowserver Foundation, a non-profit organization focused on improving cyber-security practices across the world, have published a warning about companies leaving printers exposed online.  

In our research, we analyzed several common printer protocol ports and services across universities in Bangladesh.

The University of Tokyo

World Ranking: 28th in QS Global Rankings.

Vulnerabilities:

1. Port 9100 was publicly exposed, revealing: ‍
   • Printer model, MAC address, IP, and protocol information.‍
   • Access to administrative settings, making it susceptible to attacks such as Denial of Service (DoS) and malware injection.

2. Outdated SSL/TLS protocols were detected, using weak cipher suites that allow for:
   • ‍Man-in-the-middle (MITM) attacks.‍
   • Data interception during administrative communication.

Censys Query:

labels: printer AND services.port=9100 AND location.country_code=JPP

National Institute of Informatics

Location: Chiyoda, Tokyo.

Findings:

1. Dashboard access exposed printer configuration interfaces without requiring authentication.

2. Sensitive details revealed included:
   • ‍Printer model and firmware versions.
   • ‍IPv4 addresses and associated MAC addresses.
   • Open SNMP service ports with community strings left at default.

3. Enabled remote attackers to:
   • Change printer configurations, such as job names and port details.
   • Exploit weak cipher suites for privilege escalation.

‍

Even while the research is still in progress, attackers can exploit vulnerabilities to manipulate printer configurations, including altering job names, port assignments, and device identifiers such as computer names. With improper authentication mechanisms in place, unauthorized individuals can gain administrative privileges, enabling unrestricted changes to system settings.  

Furthermore, the printers are operating with outdated SSL versions that rely on weak cipher suites and deprecated hashing algorithms, leaving them highly susceptible to sophisticated attacks such as man-in-the-middle (MITM) exploits, data interception, and privilege escalation.

Specific Vulnerability:

3. Exploitable SNMP configurations detected:
   • ‍CVE-2024-7011: A denial-of-service vulnerability caused by improper input sanitization.
   • ‍CVE-2024-47523: Cross-site scripting (XSS) via exposed SNMP fields.

Censys Query:

autonomous_system.description: "university" AND location.country_code: JP AND services.port: 161

Keio University

Global Rank: Top 12.5% in QS Rankings.

Vulnerabilities:

1. Canon printers detected with Port 515 (LPD) exposed.

2. Weak SSL/TLS encryption, with cipher suites incapable of defending against brute-force attacks.

3. Attackers could exploit vulnerabilities like:
   • ‍CVE-2000-0839: Denial-of-Service (DoS) using LPD parameters.
   • ‍CVE-2007-5381: Arbitrary code execution via hostname overflow.

Censys Query:

autonomous_system.description: "university" AND location.country_code: JP AND services.port: 515

Technical Vulnerabilities by Port

Port 631 (IPP)

Functionality: Allows advanced features like authentication and encryption.

Exploitable Vulnerabilities:

• ‍CVE-2024-47175: Attacker-controlled data injection into PPD files.
• ‍CVE-2024-47076: Exploiting the CUPS system to execute arbitrary code.

Affected Institutions:

• The University of Tokyo, Kansai University, and Waseda University.

‍

Port 515 (Line Printer Daemon - LPD): A Legacy Threat

Port 515, used by the Line Printer Daemon (LPD) protocol, is a legacy service that facilitates remote print job submissions. While once a cornerstone of networked printing, this protocol has become a significant liability in modern cybersecurity due to its outdated design and lack of robust security features. Our research revealed publicly exposed Port 515 configurations at Kyoto University (ranked 17th in the 2024 QS Asia University Rankings) and Keio University (among the top 12.5% universities globally).

Vulnerabilities Identified

• Denial-of-Service (DoS) Attacks:
  • Exploiting LPD options can cause service disruption, as outlined in CVE-2000-0839.

• Arbitrary Code Execution:
  • Sending an excessively long hostname input can enable attackers to execute malicious code, as highlighted in CVE-2007-5381.

Implications

Exposed Port 515 services allow attackers to:

• Disrupt printing operations by overwhelming the LPD service with malicious commands.

• Execute arbitrary code to gain control over the affected device, enabling further infiltration into the network.

‍

Censys Query:

autonomous_system.description: "university" AND location.country_code: JP AND services.port: 515

The analysis revealed extensive exposure at these universities, emphasizing the urgent need to disable or replace LPD with secure alternatives.

Port 139 and 445 (Server Message Block - SMB): The Gateway to Critical Data

Ports 139 and 445 are fundamental to the Server Message Block (SMB) protocol, which facilitates file and printer sharing in Windows environments. However, their accessibility to public networks has rendered them a frequent target for attackers aiming to exploit their vulnerabilities. We observed public exposure at institutions such as Meiji University (Top 9.3% globally), Teikyo University (Top 5.5%), Keio University, and Musashino University (101-150 in QS WUR Rankings).

Vulnerabilities Identified

• Kernel Mode Arbitrary Code Execution:
  • Exploitation of SMB protocol flaws allows attackers to execute code with kernel-level privileges. Refer to CVE-2024-26245.

• Privilege Escalation:
  • Unauthorized users can exploit protocol weaknesses to elevate their access rights. See CVE-2024-47176.

Implications

Exposed SMB ports enable attackers to:

• Access and manipulate shared files and printer configurations.

• Leverage kernel-level privileges to infiltrate and control the network.

‍

Censys Query‍

autonomous_system.description: "university" AND location.country_code: JP AND services.port: 139 AND 445

‍

‍

The widespread exposure of these ports at major universities highlights the importance of strict access control and protocol upgrades to secure SMB services.

Port 161 (Simple Network Management Protocol - SNMP): Monitoring Gone Wrong

Port 161, utilized by the Simple Network Management Protocol (SNMP), is instrumental in monitoring and managing networked devices, including printers. However, improper configurations and outdated implementations leave this protocol prone to exploitation. Our research revealed publicly exposed SNMP services across top Japanese universities, including The University of Tokyo (32nd in QS World Rankings), Ritsumeikan University (641-650), Osaka University (17th), Toyama University (Top 5.2%), and Nihon University (651-700).

Vulnerabilities Identified

Denial-of-Service (DoS):

• Improper input sanitization in SNMP configurations can crash services, as outlined in CVE-2024-7011.

Cross-Site Scripting (XSS):

• Attackers can exploit exposed SNMP configurations for XSS attacks, as detailed in CVE-2024-47523.

Implications

Unsecured SNMP services provide attackers with:

• Detailed device information, including firmware versions and network configurations.

• An entry point to execute attacks that disrupt operations or steal sensitive data.

‍

Censys Query:

autonomous_system.description: "university" AND location.country_code: JP AND services.port: 161

The results demonstrated that SNMP misconfigurations are prevalent, further underscoring the importance of adopting SNMPv3 and disabling insecure versions.

Remediation Strategies

The following thorough remedial plans are advised to handle the vulnerabilities found in publicly exposed printers across Japanese universities:

1. Disable Unused Services
   Should some services—IPP, LPD, SMB, SNMP, etc.—not be needed, they should be turned off right away to reduce the attack surface. Eliminating pointless services reduces possible points of access for intrusions.
2. ‍Use Secure Alternatives‍
   • Modern, safe substitutes for insecure systems should replace them.
     • ‍IPP over TLS should be used instead of plain IPP (Port 631).
     • ‍SMBv3 should replace outdated SMBv1 and SMBv2, ensuring encryption is enabled.
     • Use SNMPv3 instead of SNMPv1 or SNMPv2c, as it provides enhanced security with authentication and encryption.
   • Frequent audits of printer configurations help to guarantee enforced safe protocols.
3. ‍Network Segmentation‍
   • Isolate printers and networked devices in dedicated VLANs or subnets.
   • Implement firewall rules to restrict sensitive protocols like SMB and SNMP to trusted internal networks only.
   • Segmentation lowers lateral movement, so shielding important infrastructure from compromised devices.
4. ‍Change Default Configurations‍
   • Update default community strings in SNMP configurations to unique, complex strings to prevent unauthorized access.
   • Turn off unwanted features on network printers and mandate the use of strong, distinct administrative credentials.

5. Disallow External Access‍
   • Block external access to sensitive services like SMB, SNMP, and IPP using firewall rules.
   • Use VPNs or secure remote access tools for administrators needing external access to networked printers.

6. Patch and Secure Printer Firmware‍
   • Regularly update printer firmware to address vulnerabilities like CVE-2007-5381 and CVE-2024-26245.
   • Disable or restrict non-secure printing protocols like JetDirect (Port 9100) unless absolutely necessary.
   • Make sure firmware updates come only from confirmed producers to stop malicious or counterfeit updates.

Combining several techniques—such as segmenting the network and disabling unneeded services—allows companies to handle both present vulnerabilities and developing threats.

How Censys Helps in Mitigation

Censys plays a critical role in identifying and mitigating vulnerabilities by providing actionable insights through robust internet-wide scanning capabilities. Below are the specific ways Censys assists in mitigation:

1. Proactive Vulnerability Management
   Censys detects in real-time exposed, vulnerable, or improperly configured services across your network. This helps managers to act right away in corrections, so lowering the possibility of exploitation.

2. Patch and Update Verification
   The tool validates whether all devices and services running on critical ports (e.g., SMB, SNMP, IPP) are up-to-date, reducing the window of exploitation for known vulnerabilities like CVE-2024-47175.

3. Network Segmentation and Access Control Validation
   Censys ensures that sensitive services like SMB and SNMP are available just from trusted private networks. This supports the validity of access restrictions and network segmentation's success.

4. Audit and Monitor for Rogue Devices
   Censys guarantees only trusted and authorized devices running exposed services by always scanning for illegal devices and misconfigurations. This keeps rogue devices off of attack paths.

5. Real-time Alerts
   Real-time alerts for recently discovered or vulnerable services from Censys let managers act before attackers can take advantage of these flaws.  

For companies trying to protect their infrastructure, Censys is a vital tool because of its real-time alerting system and capacity to find exact device characteristics.

Conclusion

Censys' results show the sometimes-disregarded weaknesses in internet-connected devices including network printers. Left unattended, these devices open doors for intruders, causing data leaks and operational disturbances.  

Using Censys' scanning features gives companies an unmatched view of their attack surface, which enables them to proactively find and fix vulnerabilities all around their systems. Its capacity to identify mismanaged devices, obsolete setups, and exposed ports gives companies the information they need to apply strong cybersecurity plans.  

Tools like Censys become ever more important as companies keep including more IoT devices in their digital ecosystems. Together with practical mitigating techniques, regular monitoring guarantees a strong cybersecurity posture.  

Organizations can safeguard sensitive data, preserve operational continuity, and strengthen their reputation in a world growingly linked by acting early to secure all devices. Get in touch with us right now to have a thorough security study of your weaknesses regardless of your sector.  

‍