The Epson AirPrint web configuration page is vulnerable to a reflected cross-site scripting (XSS) issue in the
INPUTT_GEOLOCATION parameter in the web administration console. This issue could be leveraged by an attacker with network access to the web UI to the printer to trick the administrator of the printer into disclosing a session cookie, thus elevating the attacker’s privileges to that of a printer administrator.
Epson AirPrint is shipped with a number of Epson home and small office printers, which all have many standard networking capabilities. Note that by default, the administrative web interface isn’t password protected, and the printer allows anyone to change settings without authentication. Thus, the only case where this reflective XSS issue would be effective for the attacker are those situations where someone already enabled password protection on the web UI.
This issue was discovered by Steven Campbell, a Rapid7 researcher.
Exploitation for Reflected XSS (CWE-79)
The web configuration page for AirPrint is vulnerable to reflected Cross-Site Scripting (XSS) due to lack of input filtering of the ‘INPUTT_GEOLOCATION’ parameter. This issue was discovered on a an Epson XP-440 printer, and the example URL is shown below:
Absent a vendor patch, users should not allow untrusted users to access the printer’s web UI through network segmentation and network ACLs.
Security of our products is important to Epson. We encourage responsible disclosure by customers and the research community and we endeavor to address valid vulnerabilities. As a reminder, we urge customers to ensure the firmware on their products is always up to date. Please visit https://epson.com/Support/wa00826 for more information, and we encourage users to contact Epson customer support (https://epson.com/support) should they need help updating their device.
- Mon, Nov 20, 2017: Initial disclosure attempt to the vendor
- Tue, Dec 05, 2017: Details provided to vendor
- Tue, Dec 05, 2017: Disclosed to CERT/CC, tracked as VRF#17-12-DSPVH
- Wed, Jan 17, 2018: Reserved CVE-2018-5550
- Fri, Jan 19, 2018: Vendor published an advisory detailing the issue and remediation guidance.
- Thu, Feb 8, 2018: Public Disclosure of CVE-2018-5550
- Mon, Feb 12, 2018: Vendor statement provided