Press Releases

Response to vulnerabilities in OKI’s digital multi-function peripherals

14/06/2024


Response to vulnerabilities in OKI’s digital multi-function peripherals

June 14, 2024

Oki Electric Industry Co., Ltd.

 

Thank you for using our products.

 

Vulnerabilities have been identified in some of our multi-function peripherals. This issue may result in the leakage of information from the product to outside parties and immediate action is recommended.

 

Affected Products

Model:ES9 (ES9466MFP and ES9476MFP) Expected Lifecycle:5−7 years

Discontinued:2019


Recommended Actions

Solution:                      OKI have rolled out updated firmware for installation on your ES9 units. Ask your OKI Authorised Service Partner to update the main unit firmware to ensure that relevant patches remedying the identified vulnerabilities are implemented and threats are avoided.

                                    This update addresses all vulnerabilities listed below.

Workaround:                When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.

 

Vulnerability details

VIN = Vulnerability Identification Number

 

VIN: CVE-2024-27141, CVE-2024-27142

Type:Improper Restriction of Recursive Entity References (CWE-776)

Description:With some APIs (Application Program Interfaces), it is possible to send HTTP requests to multifunction devices without authentication

Impact: This vulnerability can cause the device to stop operating (DoS).

Date Identified:19/2/2024

Date Fixed:14/6/2024

Version Fixed:Firmware Ver.0373SY0W1047B

 

 

1.   Vulnerability Type: Execution with Unnecessary PrivilegesCWE-250

Because some programs run with root privileges, if the programs are hijacked through certain means, arbitrary code can be executed on the multifunction device.

Vulnerability identification number: CVE-2024-27143, CVE-2024-27146, CVE-2024-27147

 

2.   Vulnerability Type:Weakness VariantCWE-276

Due to inappropriate permission settings for some programs, if root privileges are hijacked through certain means, arbitrary code can be executed on the multifunction device.

Vulnerability identification number: CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171

 

3.   Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal’)CWE-22

With the web management program (TopAccess), it is possible to place any file in the multifunction device.

Vulnerability identification number: CVE-2024-27144, CVE-2024-7145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-Vulnerability identification number: 2024-27177, CVE-2024-27178

 

4.   Vulnerability Type:Insertion of Sensitive Information into Log FileCWE-532

Because some authentication information is written to the log file, by spoofing external communications, the information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27154, CVE-2024-27156, CVE-2024-27157

 

5.   Vulnerability Type:Plaintext Storage of an Important Information (CWE-256)

Because some information is stored unencrypted, it can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27166

 

6.   Vulnerability Type:Debug Messages Revealing Unnecessary Information (CWE-1295)

Because important information is included in the debugging log file, the information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27179

 

7.   Vulnerability Type:Use of Default Credentials (CWE-1392)

Since common authentication information is included in the access between the internal programs of the multifunction device, information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27158

 

8.   Vulnerability Type:Use of Hard-coded Credentials (CWE-798)

Because some of the authentication information between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170

 

9.   Vulnerability Type:Use of Hard-coded Password (CWE-259) 

Because part of the authentication password between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27164

 

10. Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)

There is a cross-site scripting vulnerability in the web management program (TopAccess), which allows information to be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27162

 

11. Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319)

Because some of the communication between the internal programs of the multifunction device is not encrypted, information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27163

 

12. Vulnerability Type: Least Privilege Violation (CWE-272)

A vulnerable code set is used in part of the internal program code of the multifunction device, and information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27165

 

13. Vulnerability Type: Missing Authentication for Critical Function (CWE-306)

Because there is a way to access some APIs of the internal programs of multifunction devices without authorization, information can be stolen by a third party who has access to the multifunction device.

Vulnerability identification number: CVE-2024-27169

 

14. Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)

There is a way to access some APIs of the internal programs of multifunction devices without authorization, so arbitrary code can be executed on the multifunction device.

Vulnerability identification number: CVE-2024-27172

 

15. Vulnerability Type: External Control of File Name or Path (CWE-73)

Some APIs in the internal programs of multifunction devices do not check the input of file names, so any file can be placed in the multifunction device.

Vulnerability identification number: CVE-2024-27175

 

16. Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)

The encryption key used to install an application on the multifunction device becomes temporarily replaceable, allowing the information inside the multifunction device to be tampered with.

Vulnerability identification number: CVE-2024-27180

 

17. Vulnerability Type: Authentication Bypass Using an Alternate Path or ChannelCWE-288

When the user authentication function is disabled, it is possible to bypass the administrator authentication process for the web page for accessing the multifunction device's system information and uploading drivers.

Vulnerability identification number: CVE-2024-3496

 

18. Vulnerability Type: Relative Path TraversalCWE-23

If a multifunction device has a directory traversal vulnerability and user authentication is disabled, files on the multifunction device can be overwritten or new files can be placed.

Vulnerability identification number: CVE-2024-3497

 

19. Vulnerability Type: Execution with Unnecessary PrivilegesCW-250

If user authentication is disabled, a malicious file can be executed by enabling the service from the MFP's web interface, elevating its privileges to root.

Vulnerability identification number: CVE-2024-3498

 

 

------------------------------------------------------------------------------------------------------------------------------------------

Connect with OKI Australia

linkedin youtube facebook

Copyright ©1995-2024 OKI Data Australia. All rights reserved.