Ricoh multi-function-printer vulnerability investigation

Our biggest vulnerability is probably our employees, but I’m not in charge of patching (educating) them. Our next biggest vulnerability is probably our multi-function printer/scanners. I’ve cloned the “Full and fast” scan config and told to scan the printers too. This allowed us to find and fix several remote code execution (RCE) vulnerabilities (among other problems).

The MFP that we’re testing with is a Ricoh IM C2500. OpenVAS now gives it a Low Severity rating, which is much better than the 10.0 High Severity that we started with.

One problem that we’re encountering is that the printer’s internal web server appears to be crashing when OpenVAS is about 98% done with the scan.

Can OpenVAS give me any details about what it is doing when the web service stops responding on tcp/443?

I’m thinking of trying to report the problem to Ricoh, but they’ll probably ignore me unless I can give them more information.

At 96%
443/tcp open https
9100/tcp open jetdirect
Nmap done: 1 IP address (1 host up) scanned in 12.60 seconds

at 98%
443/tcp filtered https
9100/tcp open jetdirect
Nmap done: 1 IP address (1 host up) scanned in 20.04 seconds

[additional information]
when I block OpenVAS from communicating on tcp/443 to this printer, the scan completes without crashing the printer’s web server. OpenVAS identifies the operating system as cpe:/o:netbsd:netbsd

When the printer was listening on tcp/80, that service also crashed at the end of the OpenVAS scan.

To reiterate: I’m looking for information that might help Ricoh to identify and fix their problem.

There is a scanner setting called “log_whole_attack” which could be enabled like described in the topic below. Once enabled the scanner will log the time which VT has been launched at a specific scan progress, this data could be forwarded to the vendor for reproducing.


On a Ricoh IM C2500 with latest firmware, we can reliably crash its web server component using just
“Do not scan printers” = 0
“Global variable settings” “Enable CGI scanning” = 1
“Web application abuses” PHP CGI = 1

1 Like