Security Bulletins

Response to vulnerabilities in OKI’s digital multi-function peripherals

14/06/2024


Response to vulnerabilities in OKI’s digital multi-function peripherals

June 14, 2024
Oki Electric Industry Co., Ltd.
 
 
Thank you for using our products.
 
Some of vulnerabilities have been identified in certain of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: ES9466MFP/ES9476MFP


  • Vulnerability Type: Improper Restriction of Recursive Entity References(CWE-776)

    With some APIs (Application Program Interfaces), it is possible to send HTTP requests to multifunction devices without authentication, which can cause the device to stop operating (DoS).

    Vulnerability identification number: CVE-2024-27141, CVE-2024-27142


  • Vulnerability Type: Execution with Unnecessary Privileges(CWE-250)

    Because some programs run with root privileges, if the programs are hijacked through certain means, arbitrary code can be executed on the multifunction device.

    Vulnerability identification number: CVE-2024-27143, CVE-2024-27146, CVE-2024-27147


  • Vulnerability Type: : Weakness Variant(CWE-276)

    Due to inappropriate permission settings for some programs, if root privileges are hijacked through certain means, arbitrary code can be executed on the multifunction device.

    Vulnerability identification number: CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171


  • Vulnerability Type: :Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')(CWE-22)

    With the web management program (TopAccess), it is possible to place any file in the multifunction device.

    Vulnerability identification number: CVE-2024-27144, CVE-2024-7145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-Vulnerability identification number: 2024-27177, CVE-2024-27178


  • Vulnerability Type: : Insertion of Sensitive Information into Log File(CWE-532)

    Because some authentication information is written to the log file, by spoofing external communications, the information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27154, CVE-2024-27156, CVE-2024-27157


  • Vulnerability Type: :Plaintext Storage of an Important Information (CWE-256)

    Because some information is stored unencrypted, it can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27166


  • Vulnerability Type: :Debug Messages Revealing Unnecessary Information (CWE-1295)

    Because important information is included in the debugging log file, the information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27179


  • Vulnerability Type: :Use of Default Credentials (CWE-1392)

    Since common authentication information is included in the access between the internal programs of the multifunction device, information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27158


  • Vulnerability Type: :Use of Hard-coded Credentials (CWE-798)

    Because some of the authentication information between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170


  • Vulnerability Type: :Use of Hard-coded Password (CWE-259)

    Because part of the authentication password between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27164


  • Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

    There is a cross-site scripting vulnerability in the web management program (TopAccess), which allows information to be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27162


  • Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319)

    Because some of the communication between the internal programs of the multifunction device is not encrypted, information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27163


  • Vulnerability Type: Least Privilege Violation (CWE-272)

    A vulnerable code set is used in part of the internal program code of the multifunction device, and information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27165


  • Vulnerability Type: Missing Authentication for Critical Function (CWE-306)

    Because there is a way to access some APIs of the internal programs of multifunction devices without authorization, information can be stolen by a third party who has access to the multifunction device.

    Vulnerability identification number: CVE-2024-27169


  • Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

    There is a way to access some APIs of the internal programs of multifunction devices without authorization, so arbitrary code can be executed on the multifunction device.

    Vulnerability identification number: CVE-2024-27172


  • Vulnerability Type: External Control of File Name or Path (CWE-73)

    Some APIs in the internal programs of multifunction devices do not check the input of file names, so any file can be placed in the multifunction device.

    Vulnerability identification number: CVE-2024-27175

  • Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

    The encryption key used to install an application on the multifunction device becomes temporarily replaceable, allowing the information inside the multifunction device to be tampered with.

    Vulnerability identification number: CVE-2024-27180


  • Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel(CWE-288)

    When the user authentication function is disabled, it is possible to bypass the administrator authentication process for the web page for accessing the multifunction device's system information and uploading drivers.

    Vulnerability identification number: CVE-2024-3496


  • Vulnerability Type: Relative Path Traversal(CWE-23)

    If a multifunction device has a directory traversal vulnerability and user authentication is disabled, files on the multifunction device can be overwritten or new files can be placed.

    Vulnerability identification number: CVE-2024-3497


  • Vulnerability Type: Execution with Unnecessary Privileges(CW-250)

    If user authentication is disabled, a malicious file can be executed by enabling the service from the MFP's web interface, elevating its privileges to root.

    Vulnerability identification number: CVE-2024-3498



Solution: Ask your service company to update the main unit software.

Workaround: When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.

Connect with OKI Europe

linkedin youtube twitter facebook instagram

©1995-2024 Oki Europe Ltd.