Kyocera’s Device Manager software, which allows IT managers to monitor and manage large fleets of Kyocera printers and multifunction devices, carried a vulnerability that could have been abused by hackers and other threat actors, according to Trustwave SpiderLab’s Senior Technical Specialist, Jordan Hedges.
In a technical writeup posted on Trustwave’s website, the company explained that the flaw “allows attackers to coerce authentication attempts to their own resources, such as a malicious SMB share, to capture or relay Active Directory hashed credentials if the 'Restrict NTLM: Outgoing NTLM traffic to remote servers' security policy is not enabled.".
The vulnerability is now tracked as CVE-2023-50916, and is being described as a path traversal problem that allows attackers to intercept and modify local path pointing to the backup location of the database, to a universal naming convention (UNC) path.
Patched endpoints
As a result, the app will try and authenticate the malicious UNC path, granting attackers access to client accounts and sensitive data. Hedges also explained that the attackers could even abuse the flaw to mount NTLM relay attacks, if granted by the environment’s configuration.
Kyocera addressed the problem by releasing a patch, so those interested in keeping their endpoints secure should make sure their Device Manager is in version 3.1.1213.0.
There is no evidence of the bug being exploited in the wild, however, when news of a patch breaks, threat actors usually start scanning the internet for vulnerable endpoints. Given that many IT teams fail to keep their systems updated at all times, the risk of exploit is now even greater than when the flaw was a zero-day.
“We value vendors like Kyocera for their transparency and commitment to security,” Trustwave concluded.
More from TechRadar Pro
- Crypto scammers are hijacking this Twitter feature to snare new victims
- Here's a list of the best firewalls today
- These are the best malware removal software choices right now
