Last week, researchers from Check Point, an Israeli IT security software provider, revealed vulnerabilities in the fax protocol that could serve as entry points for hackers into corporate networks during a talk they gave at the DEF CON 26 security conference in Las Vegas.
This type of attack, named “Faxploit”, allows hackers to send crafted images to an organization’s fax machine containing code that exploits vulnerabilities, enabling them to take over the machine. From there, hackers can use the fax machine to deploy other hacking tools that scan local networks and compromise nearby devices. In a demonstration given, Check Point specifically took advantage of two buffer overflows in the implementation of fax capabilities in an HP device: CVE-2018-5924 and CVE-2018-5925. Please note that XM Fax software is not affected by the specific vulnerabilities that were discovered and used during this exploit.
It was reported that the above-mentioned vulnerabilities are simple to exploit; hackers would only need an organization’s fax number to target them. The attack code comes in via dedicated fax lines with no internet connection required. Since fax machines don’t come with security software to scan inbound faxes, Faxploit can be difficult to defend against. Most companies publish their fax numbers in plain sight on their websites, and Google has over 300 million fax numbers indexed, making Faxploit a potentially powerful tool for hackers to be able to target almost any organization in the world.
Not only Fax Machines are Vulnerable
It’s important to note that Faxploit also targets multifunction printers (MFPs) with built-in faxing capabilities.
XMedius wishes to advise concerned organizations on steps they can take to minimize risk of a Faxploit attack:
- If your company sends and receives fax transmissions via MFP, it is important to contact your provider for any available security patches as soon as possible. So far, HP has already responded by releasing patches for their series of HP Officejet all-in-one printers, but many fax machine and MFP vendors could also be vulnerable.
- A simple method of defense against Faxploit attacks is network segmentation. Breaking larger corporate networks into smaller networks, or isolating fax machines onto their own subnetworks can not only greatly reduce the risk of attack, but also limit scope of personal data that hackers could gain access to.
- A third option would be to reduce your organization’s possible attack area using centralized fax server solutions instead of hundreds of fax devices spread across your whole network. Centralized fax solutions are easier to protect, update and monitor.
Your faxing environment needs to be handled with an appropriate level of precaution, just as you do for your mail, your web server or your workstation environments. If your organization is currently using, or is considering migrating to a fax server solution, here are a few elements that should be taken into consideration:
Reduce the risk footprint:
- Using a fax server/service solution reduces the number of devices you have to be concerned about and provides a more controllable environment
- You can still leverage your MFPs with the use of several integrations and connectors from your FoIP provider or its partners, allowing them to have faxing capabilities without being connected to the public telephony network
- Harden your servers by stopping unnecessary services and reducing the number of unneeded software
Keep software up-to-date:
- Keep your fax server OS up-to-date, as you would do for your workstation environment
- Devices like faxes and MFPs need to be updated to get the latest security fix. This is often an oversight in patching policies.
- Consider retiring devices that cannot be updated. If vendors no longer offer active support and security fixes, these devices can be a weak link in your overall data security strategy
Monitor your systems for viruses, trojans and other forms of attacks
- Use a good antivirus/antimalware and make sure to keep it up to date
- Use vulnerability scanner tools to detect out-of-date software
- Monitor traffic coming out of the MFD and fax server zones, a compromised device will create atypical network traffic that can be detected by intrusion detection systems (IDS).
- Register to your fax services provider support pages to be notified when new fixes are available, or when they make important security announcements
- Find and follow reliable sources on security that provide thorough explanations about vulnerabilities and attack vectors
For more information on minimizing fax protocol vulnerabilities, contact XMedius at: firstname.lastname@example.org