Skip to navigation Skip to main content Skip to footer

Technical Advisory: Multiple Vulnerabilities in Kyocera Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers.

The vulnerability list below was found affecting to several Kyocera printers:

 

Technical Advisories:

Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13196, 
 CVE-2019-13197, 
 CVE-2019-13202, 
 CVE-2019-13203, 
 CVE-2019-13206
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some Kyocera printers were affected by several buffer overflow vulnerabilities in the web application that would allow an attacker to perform a Denial of Service attack, and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device and potentially execute arbitrary code on the device.

Details

Specially crafted requests to the web server will cause a vulnerable device to crash. Buffer overflows and an integer overflow have been identified in different arguments of the web application. Exploitation of this issue allows to perform a Denial of Service and may lead to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13196
https://nvd.nist.gov/vuln/detail/CVE-2019-13196

CVE-2019-13197
https://nvd.nist.gov/vuln/detail/CVE-2019-13197

CVE-2019-13202
https://nvd.nist.gov/vuln/detail/CVE-2019-13202

CVE-2019-13203
https://nvd.nist.gov/vuln/detail/CVE-2019-13203

CVE-2019-13206
https://nvd.nist.gov/vuln/detail/CVE-2019-13206

 

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

 

Multiple Buffer Overflows in IPP Service (CVE-2019-13204)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13204
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some Kyocera printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in the IPP service of Kyocera devices that allow an attacker to crash the device and potentially execute arbitrary code.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13204
https://nvd.nist.gov/vuln/detail/CVE-2019-13204

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

 

Buffer Overflow in LPD Service (CVE-2019-13201)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13201
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

 

Summary

Some Kyocera printers were affected by a buffer overflow vulnerability in the LPD service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) in the LPD service and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests to the LPD service with big control files will cause the LPD service to crash, and potentially would allow to execute remote code on the affected device.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13201
https://nvd.nist.gov/vuln/detail/CVE-2019-13201

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

 

Path Traversal (CVE-2019-13195)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13195
Risk: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)

Summary

The web application of some Kyocera printers was vulnerable to path traversal, allowing an unauthenticated user to retrieve arbitrary files under certain conditions, and also allowed to check if files or folders existed within the file system.

It was only possible to obtain files from the system that had a whitelisted extension, therefore, it was not possible to obtain typical files such as /etc/passwd.

Impact

Successful exploitation of this vulnerability can lead to access arbitrary files from the operating system.

Details

It was only possible to obtain files from the system that had a whitelisted extension, therefore, it was not possible to obtain typical files such as /etc/passwd.

Some extensions that seemed to be accepted were the following:

  • .htm
  • .js
  • .css
  • .ico
  • .sh
  • .png
  • .gif

 

CVSSv3 Base Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13195
https://nvd.nist.gov/vuln/detail/CVE-2019-13195

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

 

Broken Access Controls (CVE-2019-13205)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13205
Risk: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)

Summary

All configuration parameters of the Kyocera printer were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loaded this information were also protected. However, all files that contained the configuration parameters were accessible.

Impact

These files contained sensitive information, such as users, community strings and other passwords configured in the printer.

Details

All the model files accessible through the web application, which contained all the configured parameters of the printer, were accessible without authentication. This included credentials that may affect other systems as well, as community strings.

CVSSv3 Base Score: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Impact Subscore: 4.0
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13205
https://nvd.nist.gov/vuln/detail/CVE-2019-13205

Devices Affected

The table below shows the devices and firmware versions affected:
KYOCERA MODELS AFFECTED RELEASES FIXED RELEASES

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

 

Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13198, CVE-2019-13200)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13198,
 CVE-2019-13200
Risk: CVE-2019-13198: 7.6 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L)
 CVE-2019-13200: 7.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)

Summary

Multiple Cross-Site Scripting vulnerabilities, including Stored Cross-Site Scripting issues, were found in the Kyocera Web Application.

Impact

Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.

Details

The web application was vulnerable to Cross-Site Scripting attacks, both stored and reflected. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.

CVE-2019-13198:

CVSSv3 Base Score: 6.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L)
Impact Subscore: 5.5
Exploitability Subscore: 1.2

CVE-2019-13200:

CVSSv3 Base Score: 7.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
Impact Subscore: 5.5
Exploitability Subscore: 1.6

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13198
https://nvd.nist.gov/vuln/detail/CVE-2019-13198

CVE-2019-13200
https://nvd.nist.gov/vuln/detail/CVE-2019-13200

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13199)

Vendor: Kyocera
Vendor URL: https://www.kyoceradocumentsolutions.com/ 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-13199
Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)

Summary

Some Kyocera printers did not implement any mechanism to avoid cross-site request forgery attacks.

Impact

Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.

Details

Some Kyocera printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.

CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process.
2019-08-08: NCC Group Advisory released

References

CVE-2019-13199
https://nvd.nist.gov/vuln/detail/CVE-2019-13199

Devices Affected

The table below shows the devices and firmware versions affected:

Kyocera Models Affected Releases Fixed Releases
ECOSYS M5526CDW 2R7_2000.001.701  2R7_2000.002.301

*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html 

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com