CVE-2022-29588 - Cleartext Password Vulnerability in Konica Minolta bizhub MFP Devices Explained

Konica Minolta printers and multifunction devices (MFPs) are everywhere—in schools, offices, hospitals, even small businesses. These multi-tasking machines handle everything from basic printing to copying, scanning, and even document storage. But what if someone found a way to sneak into your MFP and snatch admin passwords out in the open, without breaking a sweat?

That’s exactly what CVE-2022-29588 is about. In this post, we break down the key details of this serious vulnerability in simple language, show a proof-of-concept on how an attacker could get that password, and help you understand the risks with real-world examples.

What Is CVE-2022-29588?

CVE-2022-29588 is a security issue that affects Konica Minolta bizhub Multifunction Printers before April 2022. The root problem? Weak password management.

On vulnerable devices, administrator passwords are stored in plain text in two key files

- /var/log/nginx/html/ADMINPASS
- /etc/shadow

The first file in particular (ADMINPASS) is unintentionally readable to attackers who can access the system, while /etc/shadow is supposed to have passwords in a hashed format (not readable!), but on these devices both files expose information in clear, readable form.

What Devices Are Affected?

Pretty much any Konica Minolta bizhub MFP that hasn’t been updated since April 2022 is likely affected. Always check with Konica Minolta’s Security Advisories and NIST’s National Vulnerability Database entry for CVE-2022-29588 for the latest.

Why Is This Dangerous?

- Direct admin takeover. Anyone who can access the printer’s file system, locally or over the network (depending on setup), can grab the admin password.
- Expands to the whole network. With admin credentials to one MFP, attackers might abuse scan-to-email, upload malware, intercept printed confidential docs, or use the device as a bounce point to attack other devices in your network.

Step 1: Accessing the File System

Most bizhub devices run a thin version of Linux. If an attacker gets *shell access*, SSH, or can upload files via exposed services (for example, through misconfigurations of FTP/web services), they can browse the device’s file system.

Step 2: Read the Password File

# Find and display the ADMINPASS file
cat /var/log/nginx/html/ADMINPASS

# Or, check the shadow file (which should NOT be readable!)
cat /etc/shadow

Suppose ADMINPASS contains

admin:ABC1234

And /etc/shadow contains something like

admin:ABC1234:19000::99999:7:::

*Note: In a secure system, /etc/shadow should have hashed (scrambled) passwords, not the actual password in clear text!*

Step 3: Use the Exposed Password

Now, the attacker logs into the printer’s web UI, admin interface, or even does further damage using the admin credentials they just stole.

Using a known exploit (or a default password), attacker gains basic shell access.

4. Reads /var/log/nginx/html/ADMINPASS or /etc/shadow.

Is There a Public Exploit?

Because the vulnerability is about cleartext password storage, an “exploit” is as simple as reading a file over the device’s shell, FTP, web, or possibly via LFI (Local File Inclusion) vulnerabilities if the web server configuration is weak.

If you have shell access

cat /var/log/nginx/html/ADMINPASS

If the web server exposes this file (poorly restricted)

http://<PRINTER_IP>/ADMINPASS

Try to access the file directly: if successful, you’ll see the admin credentials.

Mitigation: How to Fix or Protect Yourself

- Update firmware: Go to Konica Minolta’s support page and get the latest updates for your model.
- Restrict access: Always segment printers off sensitive networks, and block public SSH/FTP/web admin.

References and More Reading

- NVD CVE-2022-29588
- Konica Minolta Security Notice (PDF)
- Konica Minolta Product Security
- Shadow File Overview (Linux)

Final Thoughts

CVE-2022-29588 is a classic, old-school mistake that’s still popping up—cleartext password storage in widely-deployed devices is a huge risk, especially since printers are often overlooked in security plans. If you’ve got Konica Minolta bizhub MFPs, patch and audit *now*. And remember, every connected device is a computer—treat your printers like you would a server!


TL;DR:  
On affected Konica Minolta bizhub MFPs, admin passwords are stored as clear text in exposed files. Attackers with minimal access can instantly grab these values and take over the device. Patch your printers and rotate your passwords immediately!

Timeline

Published on: 05/16/2022 06:15:00 UTC
Last modified on: 05/30/2022 00:19:00 UTC