Where to disclose a zero day vulnerability

Question

We discovered a vulnerability in wide range of Ricoh printers, where with a simple PostScript file sent directly, it is possible to crash the device.

To recover you need physical access to the printer and an administration account to clear the queue (otherwise, after the restart, the crash will occur again).

This offers a simple and quick denial of service attack. If you are in the right network, you can disable all the printers within seconds.

We tried to contact Ricoh for months (but we were more or less silently ignored) and we finally where able to speak with the responsible person in our country. He stated that he does not see the problem.

Given that we are following the rules of responsible disclosure (Ricoh was warned month ago) and that they clearly stated that they will not address the problem: where should we disclose the problem?

As someone who spent a long time working on a service desk supporting printers like this, it really doesn't surprise me, and I suspect Ricoh are already aware of this issue. We'd regularly have to get the support contractors to go directly into printer queues and clear jobs like this, which we couldn't clear via any of the normal support methods. The support contractors were the ones with contracts with various printer manufacturers, who had the correct details etc to get into the 'indepth' parts of the printer management. — djsmiley2kStaysInside, Sep 12 '19 at 12:41
Btw, if the attack requires you to have an access to the printer that allows you to print, you could simply dos the printer by letting it print a huge amount of papers. — hek2mgl, Sep 12 '19 at 14:20
Seems like you've already decided the answer is "Stack Exchange". (And yes, you haven't disclosed the exact procedure, but disclosing the target, attack surface, and effect is a rather large chunk of the disclosure.) — Acccumulation, Sep 12 '19 at 21:52
You found a way to crash a printer? I'm not sure that you can classify that as a "zero day". That's just a bug (or a Tuesday, in the printer world). — schroeder, Sep 13 '19 at 14:41
You could also report the issue to US Cert (https://www.us-cert.gov/report) or the Cert for your country if outside the US. It could be that Ricoh would take them more seriously than a run-of-the-mill user. — Swashbuckler, Sep 13 '19 at 17:08

score 37 · Answer 1 · answered Sep 11 '19 at 14:02

37

You should request a CVE ID from MITRE (https://cve.mitre.org/cve/request_id.html), which is the responsible CNA for this.

You can then disclose it on security mailing lists like Bugtraq or FullDisclosure. Security magazines and news sites might also be interested in the vulnerability. You can contact them directly and ask if they are interested to publish the vulnerability. Though they likely follow Bugtraq and FullDisclosure anyways.

answered Sep 11 '19 at 14:02

D.O.

600
3
9

2

The CVE can be requested only after the disclosure. – Matteo Sep 12 '19 at 06:49
2

@Matteo So disclose it at the same time. – forest Sep 12 '19 at 07:32
9

@Matteo: I don't think you need to disclose it before getting a CVE ID. The CVE form says "Once a CVE ID is assigned to your vulnerability, it will not be published in the CVE List until you have submitted a URL pointing to public information about the vulnerability. Without a public reference, the CVE ID will display as "RESERVED" in the CVE List." – Jan Fabry Sep 12 '19 at 08:20
6

@Matteo You may also wish to check that this hasn't already been [reported](https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ricoh) – Lightness Races in Orbit Sep 12 '19 at 11:18
@Matteo no, you can either request a CVE and then disclose the vulnerability or disclose the vulnerability right away and then get a CVE. I prefer the former way, because its better in some cases (e.g. when you want to discuss the vulnerability before disclosing it). But in principle both ways are possible. – D.O. Sep 16 '19 at 11:06

score 10 · Answer 2 · answered Sep 11 '19 at 13:49

10

If you want to disclose a vulnerability I would suggest to contact the right CNA. You can find a list under this link. Now you can request a CVE ID and everything goes on if this vulnerability is really existing.

answered Sep 11 '19 at 13:49

Cyberduck

628
4
17

score 0 · Answer 3 · answered Sep 13 '19 at 13:26

Anywhere you like, if at all.

Ricoh MFPs can lock up if you look at them funny, let alone send them a specially crafted postscript file. If you've found yet another way of making them crash perhaps post about it on your favourite comment site/write it up on your blog but it's probably not going to get Ricoh or their customers particularly bothered (as you've found) and probably won't get assigned a CVE.

There don't currently appear to be any CVEs raised where the only risk is of a device crashing for instance: https://cve.mitre.org/cgi-bin/cvekey.cgi?keyword=ricoh

I run around a dozen Ricoh MFPs which the whole of my network can send postscript files to directly and yet this discovery has elicited no reaction from any of my team. If they did patch it most printers wouldn't get the fix for years by the time they had analysed the issue, made a new firmware, affected devices had been replaced or undergone maintenance resulting in the latest firmware being applied. This isn't the sort of issue that would call for a critical advisory and immediate application of patch sadly, if you're in a position to send print jobs directly to the printer you're in a position to DoS it (not to mention additionally wasting materials/creating sub2pewdiepie pages) by sending it print jobs?

Also worth considering: If they aren't going to fix it and any fixes they do make won't make it to the vast majority of affected devices, perhaps the most responsible thing is to not disclose the specific details of vulnerability at all?

And to the person that said mentioning that it's a Ricoh device crashing, that it's annoying to fix once it does, that it involves sending a postscript file to it, is so specific as to be almost disclosing the fault itself? The information contained in the original text is about as dangerous as a locksmith revealing that you can jam a certain brand of lock by directly inserting a malformed key. It's both highly generic and highly predictable as far as I can imagine?

I was with you until you suggested that, since it will never be fixed, it might be more responsible *not* to disclose. https://www.schneier.com/essays/archives/2007/01/schneier_full_disclo.html — Conor Mancone, Sep 13 '19 at 13:36

Where to disclose a zero day vulnerability

3 Answers3