Zebra Industrial Printers Insufficiently Protected Credentials (CVE-2019-10960)

high Tenable OT Security Plugin ID 502254

Synopsis

The remote OT asset is affected by a vulnerability.

Description

Zebra Industrial Printers All Versions, Zebra printers are shipped with unrestricted end-user access to front panel options. If the option to use a passcode to limit the functionality of the front panel is applied, specially crafted packets could be sent over the same network to a port on the printer and the printer will respond with an array of information that includes the front panel passcode for the printer. Once the passcode is retrieved, an attacker must have physical access to the front panel of the printer to enter the passcode to access the full functionality of the front panel.

This plugin only works with Tenable.ot.
Please visit https://www.tenable.com/products/tenable-ot for more information.

Solution

The following text was originally created by the Cybersecurity and Infrastructure Security Agency (CISA). The original can be found at CISA.gov.

Zebra has released a new version of the software that can be obtained at: https://www.zebra.com/linkos

Zebra recommends its printers should not be configured to be fully accessible via the Internet. Zebra further recommends that if a Zebra printer needs to be accessed from outside an organization’s secure network architecture, users use Weblink Technology (or similar tools) that provide a secure, encrypted connection to the user’s printer.

See Also

https://www.us-cert.gov/ics/advisories/icsa-19-232-01

Plugin Details

Severity: High

ID: 502254

Version: 1.3

Type: remote

Family: Tenable.ot

Published: 5/6/2024

Updated: 9/4/2024

Supported Sensors: Tenable OT Security

Risk Information

VPR

Risk Factor: Low

Score: 3.6

CVSS v2

Risk Factor: Medium

Base Score: 5

Temporal Score: 3.7

Vector: CVSS2#AV:N/AC:L/Au:N/C:P/I:N/A:N

CVSS Score Source: CVE-2019-10960

CVSS v3

Risk Factor: High

Base Score: 7.5

Temporal Score: 6.5

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Temporal Vector: CVSS:3.0/E:U/RL:O/RC:C

Vulnerability Information

CPE: cpe:/o:zebra:220xi4_firmware, cpe:/o:zebra:zt620_firmware, cpe:/o:zebra:zt410_firmware, cpe:/o:zebra:zt610_firmware, cpe:/o:zebra:zt220_firmware, cpe:/o:zebra:zt420_firmware, cpe:/o:zebra:zt230_firmware, cpe:/o:zebra:zt510_firmware

Required KB Items: Tenable.ot/Zebra

Exploit Ease: No known exploits are available

Patch Publication Date: 8/20/2019

Vulnerability Publication Date: 8/20/2019

Reference Information

CVE: CVE-2019-10960

CWE: 522

ICSA: 19-232-01