Response to vulnerabilities in OKI’s digital multi-function peripherals
June 14, 2024
Oki Electric Industry Co., Ltd.
Thank you for using our products.
Vulnerabilities have been identified in some of our multi-function peripherals. This issue may result in the leakage of information from the product to outside parties and immediate action is recommended.
▮Affected Products
Model:ES9 (ES9466MFP and ES9476MFP) Expected Lifecycle:5−7 years
Discontinued:2019
▮Recommended Actions
Solution: OKI have rolled out updated firmware for installation on your ES9 units. Ask your OKI Authorised Service Partner to update the main unit firmware to ensure that relevant patches remedying the identified vulnerabilities are implemented and threats are avoided.
This update addresses all vulnerabilities listed below.
Workaround: When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.
▮Vulnerability details
VIN = Vulnerability Identification Number
VIN: CVE-2024-27141, CVE-2024-27142
Type:Improper Restriction of Recursive Entity References (CWE-776)
Description:With some APIs (Application Program Interfaces), it is possible to send HTTP requests to multifunction devices without authentication
Impact: This vulnerability can cause the device to stop operating (DoS).
Date Identified:19/2/2024
Date Fixed:14/6/2024
Version Fixed:Firmware Ver.0373SY0W1047B
1. Vulnerability Type: Execution with Unnecessary Privileges(CWE-250)
Because some programs run with root privileges, if the programs are hijacked through certain means, arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27143, CVE-2024-27146, CVE-2024-27147
2. Vulnerability Type:Weakness Variant(CWE-276)
Due to inappropriate permission settings for some programs, if root privileges are hijacked through certain means, arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171
3. Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal’)(CWE-22)
With the web management program (TopAccess), it is possible to place any file in the multifunction device.
Vulnerability identification number: CVE-2024-27144, CVE-2024-7145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-Vulnerability identification number: 2024-27177, CVE-2024-27178
4. Vulnerability Type:Insertion of Sensitive Information into Log File(CWE-532)
Because some authentication information is written to the log file, by spoofing external communications, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27154, CVE-2024-27156, CVE-2024-27157
5. Vulnerability Type:Plaintext Storage of an Important Information (CWE-256)
Because some information is stored unencrypted, it can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27166
6. Vulnerability Type:Debug Messages Revealing Unnecessary Information (CWE-1295)
Because important information is included in the debugging log file, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27179
7. Vulnerability Type:Use of Default Credentials (CWE-1392)
Since common authentication information is included in the access between the internal programs of the multifunction device, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27158
8. Vulnerability Type:Use of Hard-coded Credentials (CWE-798)
Because some of the authentication information between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170
9. Vulnerability Type:Use of Hard-coded Password (CWE-259)
Because part of the authentication password between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27164
10. Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
There is a cross-site scripting vulnerability in the web management program (TopAccess), which allows information to be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27162
11. Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319)
Because some of the communication between the internal programs of the multifunction device is not encrypted, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27163
12. Vulnerability Type: Least Privilege Violation (CWE-272)
A vulnerable code set is used in part of the internal program code of the multifunction device, and information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27165
13. Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
Because there is a way to access some APIs of the internal programs of multifunction devices without authorization, information can be stolen by a third party who has access to the multifunction device.
Vulnerability identification number: CVE-2024-27169
14. Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
There is a way to access some APIs of the internal programs of multifunction devices without authorization, so arbitrary code can be executed on the multifunction device.
Vulnerability identification number: CVE-2024-27172
15. Vulnerability Type: External Control of File Name or Path (CWE-73)
Some APIs in the internal programs of multifunction devices do not check the input of file names, so any file can be placed in the multifunction device.
Vulnerability identification number: CVE-2024-27175
16. Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
The encryption key used to install an application on the multifunction device becomes temporarily replaceable, allowing the information inside the multifunction device to be tampered with.
Vulnerability identification number: CVE-2024-27180
17. Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel(CWE-288)
When the user authentication function is disabled, it is possible to bypass the administrator authentication process for the web page for accessing the multifunction device's system information and uploading drivers.
Vulnerability identification number: CVE-2024-3496
18. Vulnerability Type: Relative Path Traversal(CWE-23)
If a multifunction device has a directory traversal vulnerability and user authentication is disabled, files on the multifunction device can be overwritten or new files can be placed.
Vulnerability identification number: CVE-2024-3497
19. Vulnerability Type: Execution with Unnecessary Privileges(CW-250)
If user authentication is disabled, a malicious file can be executed by enabling the service from the MFP's web interface, elevating its privileges to root.
Vulnerability identification number: CVE-2024-3498
------------------------------------------------------------------------------------------------------------------------------------------