AttackerKBAKB:4FE1F032-B17D-4DD5-9F39-F382C5042621CVE-2017-16249
0.042 Low
EPSS
Percentile
92.2%
The Debut embedded http server contains a remotely exploitable denial of service where a single malformed HTTP POST request can cause the server to hang until eventually replying (~300 seconds) with an HTTP 500 error. While the server is hung, print jobs over the network are blocked and the web interface is inaccessible. An attacker can continuously send this malformed request to keep the device inaccessible to legitimate traffic.
Recent assessments:
h00die at March 25, 2020 12:36am UTC reported:
Debut makes an embedded http server which is likely on βdumbβ devices which need a web server for configuration such as Brother and HP printers. Exploitation is trivial, just send 40 characters of data in a POST request w/o authentication, and the service will crash. Since these devices are typically cheap and βdumbβ, crashing the http server will most likely also cause the entire device to reboot, or require a watchdog service to restart the http server. Isnβt much to gain here though since youβre simply crashing a service. DoS printers, save trees?
However, of note, these devices may not include a firmware update mechanism, and may therefore be vulnerable for life, such as my Brother HL-L2380DW.
Assessed Attacker Value: 1
Assessed Attacker Value: 1Assessed Attacker Value: 5
References
packetstormsecurity.com/files/144908/Debut-Embedded-httpd-1.20-Denial-Of-Service.html
cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-16249
www.exploit-db.com/exploits/43119
www.trustwave.com/Resources/Security-Advisories/Advisories/TWSL2017-017?fid=10211
www.trustwave.com/Resources/SpiderLabs-Blog/Denial-of-Service-Vulnerability-in-Brother-Printers?page=1&year=0&month=0&LangType=1033
Related
