Check Point, a well-known security firm, has recently released a thorough article in which they demonstrated, with a proof of concept, how a vulnerability in a fax device can be exploited to gain access to another network this machine is connected to. XMedius, being security conscious, has looked into this and wanted to weigh-in on these findings.
Firstly, XMedius would like to report that its XMediusFAX software is not affected by the specific vulnerabilities that were discovered and used during this exploit, i.e. CVE-2018-5924 and CVE-2018-5925.
However, the research does highlight that your faxing environment needs to be handled with an appropriate level of precaution, just as you do for your mail, your web server or your workstation environments. Basically, anything processing data from the external world is at risk of being exploited by a yet-unknown vulnerability. As such, here are a few elements that should be taken into the consideration when using XMediusFAX and XMediusFAX Cloud:
Reduce the risk footprint
- Using a fax server/service solution reduces the number of devices you have to be concerned about and provides a more controllable environment.
- You can still leverage your MFPs with the use of several integrations and connectors provided by XMedius or its partners, allowing them to have faxing capabilities without being connected to the public telephony network.
- Harden your servers by stopping unnecessary services and reducing the number of unneeded software.
Keep software up-to-date
- XMedius is in total control of all its software code, from the fax stack to the fax delivery mechanisms. XMedius has a vulnerability watch program and releases security updates on a continuous and timely basis. It is, however, the system administrator’s responsibility to keep the XMediusFAX server up-to-date by applying those fixes.
- XMediusFAX uses third party software, such as Java, Tomcat, MySQL and GhostScript. XMedius encourages the system administrator to always keep this software up-to-date to the latest minor release of the major version distributed with XMediusFAX.
- Keep your XMediusFAX server OS up to date, as you would do for your workstation environment.
- Devices like faxes and MFDs need to be updated to get the latest security fix. This is often an oversight in patching policies. In some cases, customers may want to retire devices that cannot be updated.
Segregate, segregate, segregate
- Ideally, your fax server environment should run in its own subnet and be isolated from your corporate network, with a properly configured firewall that allows only necessary traffic.
- Furthermore, your XMediusFAX server modules can be isolated, again allowing only the necessary traffic between them.
- Internet connection should not be allowed from the XMediusFAX servers, apart for necessary/controlled traffic (if any).
- Create a specific network zone for devices like printers, scanners, MFDs; they present a different security profile than the regular desktop environment. For devices in that zone, limit access to the internet and internal network resources to the strict minimum for them to achieve their function.
Monitor the fax system for viruses, trojans and other forms of attacks
- Use a good antivirus/antimalware and make sure to keep it up to date.
- Use vulnerability scanner tools to detect out-of-date software.
- Monitor traffic coming out of the MFD and fax server zones, a compromised device will create atypical network traffic that can be detected by intrusion detection systems (IDS).
For more information, please feel free to contact us at: firstname.lastname@example.org