CVE-2024-12649: vulnerability in the Canon TTF interpreter

CVE-2024-12649: vulnerability in the Canon TTF interpreter

/in

These days, attackers probing an organization’s infrastructure rarely come across the luxury of a workstation without an EDR agent, so malicious actors are focusing on compromising servers, or various specialized devices connected to the network with fairly broad access privileges yet lacking EDR protection and often even logging capabilities. We’ve previously written in detail about the types of vulnerable office devices. Real-world attacks in 2025 are focused on network devices (such as VPN gateways, firewalls, and routers), video surveillance systems, and the servers themselves. But printers shouldn’t be overlooked either, as independent researcher Peter Geissler reminded the audience at the Security Analyst Summit 2025. He described a vulnerability he’d found in Canon printers (CVE-2024-12649, CVSS 9.8), which allows executing malicious code on these devices. And the most interesting aspect regarding this vulnerability is that exploiting it merely requires sending an innocent-looking file to print.

Trojan Type Font: an attack via CVE-2024-12649

The attack begins with sending an XPS file to print. This format, created by Microsoft, contains all the prerequisites for successful document printing, and serves as an alternative to PDF. XPS is essentially a ZIP archive containing a detailed description of the document, all its images, and the fonts used. The fonts are usually stored in the popular TTF (TrueType Font) format invented by Apple. And it’s precisely the font itself — something not typically perceived as dangerous — that contains the malicious code.

The TTF format was designed to both make letters look identical on any medium, and scale correctly to any size — from the smallest character on a screen to the largest on a printed poster. To achieve this goal, each letter can have font hinting instructions written for it, which describe the nuances of displaying letters of small sizes. Hinting instructions are essentially commands for a compact virtual machine which, despite its simplicity, supports all the basic building blocks of programming: memory management, jumps, and branching. Geissler and his colleagues studied how this virtual machine is implemented in Canon printers. They discovered that some TTF hinting instructions are executed insecurely. For example, the virtual machine commands that manage the stack don’t check for overflow.

As a result, they succeeded in creating a malicious font. When a document containing it is printed on certain Canon printers, it causes a stack buffer overflow, writes data beyond the virtual machine’s buffers, and ultimately achieves code execution on the printer’s processor. The entire attack is conducted via the TTF file; the rest of the XPS file content is benign. In fact, detecting the malicious code even within the TTF file is quite difficult: it’s not very long, the first part consists of TTF virtual machine instructions, and the second part runs on the exotic, proprietary Canon operating system (DryOS).

It should be noted that in recent years Canon has focused on securing printer firmware. For example, it uses DACR registers and NX (no-execute) flags supported in ARM processors to limit the ability to modify system code or execute code in memory fragments intended solely for data storage. Despite these efforts, the overall DryOS architecture doesn’t allow for effective implementation of memory protection mechanisms, such as ASLR or stack canary, which are typical of larger modern operating systems. This is why researchers occasionally find ways to bypass the existing protection. For instance, in the attack we’re talking about, the malicious code was successfully executed by placing it, via the TTF trick, into a memory buffer intended for a different printing protocol — IPP.

Realistic exploitation scenario

In their bulletin describing the vulnerability, Canon asserts that the vulnerability can be exploited remotely if the printer is accessible via the internet. Consequently, they suggest configuring a firewall so the printer can only be used from the internal office network. While this is good advice and the printer should indeed be removed from public access, this isn’t the only attack scenario.

In his report, Peter Geissler pointed to a much more realistic, hybrid scenario in which the attacker sends an employee an attachment in an email or a messenger message and, under one pretext or another, suggests they print it. If the victim does send the document to print — within the internal organization network and without any internet exposure — the malicious code is executed on the printer. Naturally, the capabilities of the malware when running on the printer will be limited compared to malware that’s infected a full-fledged computer. However, it could, for example, create a tunnel by establishing a connection to the attacker’s server — allowing the attackers to target other computers in the organization. Another potential use case for this malware on the printer could result in the forwarding of all information being printed at the company directly to the attacker’s server. In certain organizations, such as law firms, this could lead to a critical data breach.

How to fend off this printer threat

The vulnerability CVE-2024-12649 and several closely related defects can be eliminated by installing the printer firmware update according to Canon’s instructions. Unfortunately, many organizations — even those that diligently update software on computers and servers — lack a systematic process for updating printer firmware. The process must be implemented for all equipment connected to the computer network.

However, security researchers emphasize that there’s a multitude of attack vectors targeting specialized equipment. Therefore, there’s no guarantee that attackers won’t arm themselves tomorrow with a similar exploit unknown to printer manufacturers or their customers. To minimize the risk of exploitation:

  • Segment the network — limiting the printer’s ability to establish outbound connections and to accept connections from devices and users not authorized to print.
  • Disable all unused services on the printer.
  • Set a unique, complex administrator password on each printer/device.
  • Implement a comprehensive security system within the organization — including EDR installed on all computers and servers, a modern firewall, and comprehensive network monitoring based on an SIEM system.

Kaspersky official blog – ​Read More