The Lantronix xPrintServer and its accompanying cloud storage API contains several vulnerabilities.
CWE-77: Improper Neutralization of Special Elements used in a Command ('Command Injection') - CVE-2014-9002
An unauthenticated attacker can include a shell command inside the
'c' parameter of an AJAX request to the device, which is then executed in context of the device root. According to Lantronix, this issue was addressed in version 3.3.0.
CWE-352: Cross-Site Request Forgery (CSRF) - CVE-2014-9003
According to MITRE, "Cross-site request forgery (CSRF) vulnerability in Lantronix xPrintServer allows remote attackers to hijack the authentication of administrators for requests that modify configuration, as demonstrated by executing arbitrary commands using the
'c' parameter in the rpc action". According to Lantronix, this issue was addressed in version 3.3.0.
CWE-798: Use of Hard-coded Credentials - CVE-2016-4325
An undocumented account with hard-coded passwords allows an unauthenticated attacker root access to the device. According to Lantronix, this issue was addressed in version 5.0.1-65.
Additionally, the device uses hard-coded default credentials and does not require the user to change them before using the device.
CWE-340: Predictability Problems
The device previously automatically binded to the DNS name
<http://xprintserver.local>. An attacker may use this information to launch attacks without knowing the internal IP address of the device. According to Lantronix, this issue was addressed in version 5.0.1-65 by adding the MAC address of the device to the name.
CWE-200: Information Exposure
The xPrintServer connects to a remote cloud storage, hosted at
These web applications may expose private information to an unauthenticated attacker. The private information may include file/data uploads, network logs, and the internal IP address of the device. According to Lantronix, this issue was addressed on 5/5/2016 (please see the Resolution below).
CWE-306: Missing Authentication for Critical Function
An unauthenticated user may be able to upload, modify, or delete files from the xPrintServer remote cloud storage. According to Lantronix, this issue was addressed on 5/5/2016 (please see the Resolution below).
The CVSS score below is based on the hard-coded credentials.
An unauthenticated remote attacker may be able to learn private information about the device's internal network, access or modify the device's configuration or files, or gain root access to the device.
Apply an update
Lantronix has released firmware version 5.0.1-65 to address these issues. Affected users are encouraged to update as soon as possible.
According to Lantronix, the web applications have been addressed as of 5/5/2016. The diagnostic upload has been partitioned from the site where printer drive files are read. In addition only select authenticated Lantronix Employees are able to read the uploaded files. Only the private
IP address is visible using the findmyxps.com service. The findmyxps.com feature can be disabled in version 5.0.0-66 or above in the Web UI under
Printers->Advanced-> Check Disable Internet Services.
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Notified: February 09, 2016 Updated: May 13, 2016
Statement Date: May 09, 2016
We have not received a statement from the vendor.
We are not aware of further vendor information regarding this vulnerability.
Group | Score | Vector
Base | 8.3 | AV:A/AC:L/Au:N/C:C/I:C/A:C
Temporal | 6.5 | E:POC/RL:OF/RC:C
Environmental | 4.9 | CDP:ND/TD:M/CR:ND/IR:ND/AR:ND
Thanks to the reporter who wishes to remain anonymous.
This document was written by Garret Wassermann.