3 Bugs Found in 2019 Cannot Be Patched Without Physical Access to the Printers Mihir Bagwe • May 13, 2022 Attackers with physical access to the printers could access admin passwords in clear text. (Source: Konica Minolta)
Hundreds of thousands of Konica Minolta printers that are used widely across businesses have reportedly been vulnerable to three critical flaws since 2019. Although a patch was made available in early 2020, the deployment could not be done at the time since the firmware update required physical access to the printers and COVID-19 lockdowns around the globe made that difficult, if not impossible.
The vulnerabilities that are now being tracked as CVE-2022-29586, CVE-2022-29587 and CVE-2022-29588 were found by researchers at SEC Consult, an Atos-owned cybersecurity firm. If successfully exploited, they could give an attacker root privileges to the underlying operating systems used in the printers.
The catch? Just as updating the firmware requires physical access, its exploitation also requires physical access to the printer, according to SEC Consult’s security advisory.
But this does not mean that exploitation of the vulnerability is less likely, Johannes Greil, the head of SEC Consult Vulnerability Lab, tells Information Security Media Group. “The chances [of exploitation] are very high, especially in business environments where those printers are mainly being used.