Lately, attackers probing a company’s infrastructure not often come throughout the posh of a workstation with out an EDR agent, so malicious actors are specializing in compromising servers, or numerous specialised gadgets linked to the community with pretty broad entry privileges but missing EDR safety and infrequently even logging capabilities. We’ve beforehand written intimately concerning the varieties of weak workplace gadgets. Actual-world assaults in 2025 are centered on community gadgets (reminiscent of VPN gateways, firewalls, and routers), video surveillance techniques, and the servers themselves. However printers shouldn’t be neglected both, as impartial researcher Peter Geissler reminded the viewers on the Safety Analyst Summit 2025. He described a vulnerability he’d present in Canon printers (CVE-2024-12649, CVSS 9.8), which permits executing malicious code on these gadgets. And essentially the most attention-grabbing side relating to this vulnerability is that exploiting it merely requires sending an innocent-looking file to print.
Trojan Sort Font: an assault through CVE-2024-12649
The assault begins with sending an XPS file to print. This format, created by Microsoft, accommodates all of the conditions for profitable doc printing, and serves as an alternative choice to PDF. XPS is actually a ZIP archive containing an in depth description of the doc, all its pictures, and the fonts used. The fonts are normally saved within the common TTF (TrueType Font) format invented by Apple. And it’s exactly the font itself — one thing not usually perceived as harmful — that accommodates the malicious code.
The TTF format was designed to each make letters look similar on any medium, and scale accurately to any measurement — from the smallest character on a display to the most important on a printed poster. To attain this purpose, every letter can have font hinting directions written for it, which describe the nuances of displaying letters of small sizes. Hinting directions are basically instructions for a compact digital machine which, regardless of its simplicity, helps all the fundamental constructing blocks of programming: reminiscence administration, jumps, and branching. Geissler and his colleagues studied how this digital machine is applied in Canon printers. They found that some TTF hinting directions are executed insecurely. For instance, the digital machine instructions that handle the stack don’t verify for overflow.
In consequence, they succeeded in making a malicious font. When a doc containing it’s printed on sure Canon printers, it causes a stack buffer overflow, writes knowledge past the digital machine’s buffers, and finally achieves code execution on the printer’s processor. The complete assault is performed through the TTF file; the remainder of the XPS file content material is benign. In actual fact, detecting the malicious code even inside the TTF file is sort of tough: it’s not very lengthy, the primary half consists of TTF digital machine directions, and the second half runs on the unique, proprietary Canon working system (DryOS).
It needs to be famous that lately Canon has centered on securing printer firmware. For instance, it makes use of DACR registers and NX (no-execute) flags supported in ARM processors to restrict the power to change system code or execute code in reminiscence fragments meant solely for knowledge storage. Regardless of these efforts, the general DryOS structure doesn’t enable for efficient implementation of reminiscence safety mechanisms, reminiscent of ASLR or stack canary, that are typical of bigger trendy working techniques. That is why researchers often discover methods to bypass the present safety. As an example, within the assault we’re speaking about, the malicious code was efficiently executed by putting it, through the TTF trick, right into a reminiscence buffer meant for a special printing protocol — IPP.
Practical exploitation situation
Of their bulletin describing the vulnerability, Canon asserts that the vulnerability will be exploited remotely if the printer is accessible through the web. Consequently, they counsel configuring a firewall so the printer can solely be used from the interior workplace community. Whereas that is good recommendation and the printer ought to certainly be faraway from public entry, this isn’t the one assault situation.
In his report, Peter Geissler pointed to a way more practical, hybrid situation wherein the attacker sends an worker an attachment in an e-mail or a messenger message and, beneath one pretext or one other, suggests they print it. If the sufferer does ship the doc to print — inside the inside group community and with none web publicity — the malicious code is executed on the printer. Naturally, the capabilities of the malware when working on the printer can be restricted in comparison with malware that’s contaminated a full-fledged pc. Nonetheless, it might, for instance, create a tunnel by establishing a connection to the attacker’s server — permitting the attackers to focus on different computer systems within the group. One other potential use case for this malware on the printer might consequence within the forwarding of all data being printed on the firm on to the attacker’s server. In sure organizations, reminiscent of legislation corporations, this might result in a important knowledge breach.
How one can fend off this printer menace
The vulnerability CVE-2024-12649 and a number of other intently associated defects will be eradicated by putting in the printer firmware replace in response to Canon’s directions. Sadly, many organizations — even those who diligently replace software program on computer systems and servers — lack a scientific course of for updating printer firmware. The method have to be applied for all tools linked to the pc community.
Nonetheless, safety researchers emphasize that there’s a mess of assault vectors focusing on specialised tools. Due to this fact, there’s no assure that attackers received’t arm themselves tomorrow with an identical exploit unknown to printer producers or their clients. To reduce the danger of exploitation:
- Phase the community — limiting the printer’s skill to determine outbound connections and to simply accept connections from gadgets and customers not licensed to print.
- Disable all unused companies on the printer.
- Set a novel, complicated administrator password on every printer/system.
- Implement a complete safety system inside the group — together with EDR put in on all computer systems and servers, a contemporary firewall, and complete community monitoring primarily based on an SIEM system.
