ICS Advisory

Zebra ZTC Industrial ZT400 and ZTC Desktop GK420d

Release Date
Alert Code
ICSA-23-339-01

View CSAF

1. EXECUTIVE SUMMARY

  • CVSS v3 5.4
  • ATTENTION: Exploitable with adjacent access/low attack complexity
  • Vendor: Zebra Technologies
  • Equipment: ZTC Industrial ZT410, ZTC Desktop GK420d
  • Vulnerability: Authentication Bypass Using an Alternate Path or Channel

2. RISK EVALUATION

Successful exploitation of this vulnerability could allow an attacker to send specially crafted packets to change credentials without any prior authentication.

3. TECHNICAL DETAILS

3.1 AFFECTED PRODUCTS

The following versions of Zebra ZTC industrial and desktop printers are affected:

  • ZTC Industrial ZT410: All versions
  • ZTC Desktop GK420d: All versions

3.2 Vulnerability Overview

3.2.1 Authentication Bypass Using an Alternate Path or Channel CWE-288

A vulnerability of authentication bypass has been found in Zebra Technologies ZTC Industrial ZT410 and ZTC Desktop GK420d. This vulnerability allows an attacker that is in the same network as the printer to change the username and password for the web page by sending a specially crafted POST request to the setvarsResults.cgi file. For this vulnerability to be exploitable, the printer's protected mode must be disabled.

CVE-2023-4957 has been assigned to this vulnerability. A CVSS v3 base score of 5.4 has been calculated; the CVSS vector string is (AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N).

3.3 BACKGROUND

  • CRITICAL INFRASTRUCTURE SECTORS: Critical Manufacturing
  • COUNTRIES/AREAS DEPLOYED: Worldwide
  • COMPANY HEADQUARTERS LOCATION: United States

3.4 RESEARCHER

Phosphorus Cybersecurity reported this vulnerability to CISA.

4. MITIGATIONS

Zebra printers running Link-OS v6.0 and later have a protected mode that protects the printer from this vulnerability. Activating this mode disables unauthorized changes and locks the current configuration until an administrator authorizes updates. By default, the secure mode is disabled as it is necessary to generate a password first.

For more information about the protected mode and to apply it to Zebra printer products that may be affected, see the Link-OS Printer Administration Guide.

NOTE: The ZT410 industrial printer was discontinued on Oct 1st, 2020. The service and support discontinuation dates are in September and December, 2025, depending on region. Further information regarding security settings and best practices, including "Protected Mode," can be found in the references of the product.

NOTE: the GK420d desktop printer was discontinued on Jan 31, 2022. The service and support discontinuation date is April 30, 2025.

For more information on the product resources, see GK420d Desktop Printer Support Manual.

For more information on this vulnerability, see INCIBE-CERT's Security Advisory.

CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.

CISA also provides a section for control systems security recommended practices on the ICS webpage on cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.

CISA encourages organizations to implement recommended cybersecurity strategies for proactive defense of ICS assets.

Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B--Targeted Cyber Intrusion Detection and Mitigation Strategies.

Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.

No known public exploitation specifically targeting this vulnerability has been reported to CISA at this time.

5. UPDATE HISTORY

  • December 5, 2023: Initial Publication

This product is provided subject to this Notification and this Privacy & Use policy.

Vendor

  • Zebra