Skip to navigation Skip to main content Skip to footer

Technical Advisory: Multiple Vulnerabilities in Lexmark Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers.

The vulnerability list below was found affecting to several Lexmark printers:

SNMP Denial of Service Vulnerability (CVE-2019-9931)
Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)
Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-10057)
No Account Lockout Implemented (CVE-2019-10058)

Technical Advisories:

SNMP Denial of Service Vulnerability (CVE-2019-9931)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9931
Risk: 7.5 CVSSv3

Summary

Some Lexmark printers contain a denial of service vulnerability in their SNMP service. This vulnerability can be exploited to crash the device.

Impact

Successful exploitation of this vulnerability can lead to a denial of service on the affected device by causing it to crash.

Details

A specially crafted request to the SNMP service will cause a vulnerable device to crash. If the “General Settings”->Error Recovery” setting is set to “Auto Reboot” (the default) then the device will automatically reboot until the “Max Auto Reboots” limit is reached.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models Affected Releases Fixed Releases
CS31x LW71.VYL.P230 and previous LW71.VYL.P231 and later
CS41x LW71.VY2.P230 and previous LW71.VY2.P231 and later
CS51x LW71.VY4.P230 and previous LW71.VY4.P231 and later
CX310 LW71.GM2.P230 and previous LW71.GM2.P231 and later
CX410 XC2130 LW71.GM4.P230 and previous LW71.GM4.P231 and later
CX510 XC2132 LW71.GM7.P230 and previous LW71.GM7.P231 and later
MS310, MS312, MS317 LW71.PRL.P230 and previous LW71.PRL.P231 and later
MS410, M1140 LW71.PRL.P230 and previous LW71.PRL.P231 and later
MS315, MS415, MS417 LW71.TL2.P230 and previous LW71.TL2.P231 and later
MS51x, MS610dn, MS617 LW71.PR2.P230 and previous LW71.PR2.P231 and later
M1145, M3150dn LW71.PR2.P230 and previous LW71.PR2.P231 and later
MS610de, M3150 LW71.PR4.P230 and previous LW71.PR4.P231 and later
MS71x, M5163dn LW71.DN2.P230 and previous LW71.DN2.P231 and later
MS810, MS811, MS812, MS817,MS818 LW71.DN2.P230 and previous  LW71.DN2.P231 and later
MS810de, M5155, M5163 LW71.DN4.P230 and previous LW71.DN4.P231 and later
MS812de, M5170 LW71.DN7.P230 and previous LW71.DN7.P231 and later
MS91x LW71.SA.P230 and previous LW71.SA.P231 and later
MX31x, XM1135 LW71.SB2.P230 and previous LW71.SB2.P231 and later
MX410, MX510 MX511 LW71.SB4.P230 and previous LW71.SB4.P231 and later
XM1140, XM1145 LW71.SB4.P230 and previous LW71.SB4.P231 and later
MX610 MX611 LW71.SB7.P230 and previous LW71.SB7.P231 and later
XM3150 LW71.SB7.P230 and previous LW71.SB7.P231 and later
MX71x, MX81x LW71.TU.P230 and previous LW71.TU.P231 and later
XM51xx XM71xx LW71.TU.P230 and previous LW71.TU.P231 and later
MX91x XM91x LW71.MG.P230 and previous LW71.MG.P231 and later
MX6500e LW71.JD.P230 and previous LW71.JD.P231 and later
C746 LHS60.CM2.P697 and previous LHS60.CM2.P698 and later
C748, CS748 LHS60.CM4.P697 and previous LHS60.CM4.P698 and later
C792, CS796 LHS60.HC.P697 and previous LHS60.HC.P698 and later
C925 LHS60.HV.P697 and previous LHS60.HV.P698 and later
C950 LHS60.TP.P697 and previous LHS60.TP.P698 and later
X548 XS548 LHS60.VK.P697 and previous LHS60.VK.P698 and later
X74x XS748 LHS60.NY.P697 and previous LHS60.NY.P698 and later
X792 XS79x LHS60.MR.P697 and previous LHS60.MR.P698 and later
X925 XS925 LHS60.HK.P697 and previous LHS60.HK.P698 and later
X95x XS95x LHS60.TQ.P697 and previous LHS60.TQ.P698 and later
6500e LHS60.JR.P697 and previous LHS60.JR.P698 and later
C734 LR.SK.P814 and previous LR.SK.P815 and later
C736 LR.SKE.P814 and previous LR.SKE.P815 and later
E46x LR.LBH.P814 and previous LR.JBH.P815 and later
T65x LR.JP.P814 and previous LR.JP.P815 and later
X46x LR.BS.P814 and previous LR.BS.P815 and later
X65x LR.MN.P814 and previous LR.MN.P815 and later
X73x LR.FL.P814 and previous LR.FL.P815 and later
W850 LP.JB.P814 and previous LP.JB.P815 and later
X86x LP.SP.P814 and previous LP.SP.P815 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9931)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9931 advisory:

http://support.lexmark.com/index?page=content id=TE919 locale=EN userlocale=EN_US

CVE-2019-9931

https://nvd.nist.gov/vuln/detail/CVE-2019-9931

 

 

Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9930, CVE-2019-9932, CVE-2019-9933
Risk: 9.8 CVSSv3

Summary

Some Lexmark printers were affected by multiple overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

Specially crafted requests to the web server will cause a vulnerable device to crash. Two buffer overflows and an integer overflow vulnerability have been identified in the embedded web server of Lexmark devices that allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models Affected Releases Fixed Releases
CS31x LW71.VYL.P230 and previous LW71.VYL.P231 and later
CS41x LW71.VY2.P230 and previous LW71.VY2.P231 and later
CS51x LW71.VY4.P230 and previous LW71.VY4.P231 and later
CX310 LW71.GM2.P230 and previous LW71.GM2.P231 and later
CX410 XC2130 LW71.GM4.P230 and previous LW71.GM4.P231 and later
CX510 XC2132 LW71.GM7.P230 and previous LW71.GM7.P231 and later
MS310, MS312, MS317 LW71.PRL.P230 and previous LW71.PRL.P231 and later
MS410, M1140 LW71.PRL.P230 and previous LW71.PRL.P231 and later
MS315, MS415, MS417 LW71.TL2.P230 and previous LW71.TL2.P231 and later
MS51x, MS610dn, MS617 LW71.PR2.P230 and previous LW71.PR2.P231 and later
M1145, M3150dn LW71.PR2.P230 and previous LW71.PR2.P231 and later
MS610de, M3150 LW71.PR4.P230 and previous LW71.PR4.P231 and later
MS71x, M5163dn LW71.DN2.P230 and previous LW71.DN2.P231 and later
MS810, MS811, MS812, MS817, MS818 LW71.DN2.P230 and previous LW71.DN2.P231 and later
MS810de, M5155, M5163 LW71.DN4.P230 and previous LW71.DN4.P231 and later
MS812de, M5170 LW71.DN7.P230 and previous LW71.DN7.P231 and later
MS91x LW71.SA.P230 and previous LW71.SA.P231 and later
MX31x, XM1135 LW71.SB2.P230 and previous LW71.SB2.P231 and later
MX410, MX510 MX511 LW71.SB4.P230 and previous LW71.SB4.P231 and later
XM1140, XM1145 LW71.SB4.P230 and previous LW71.SB4.P231 and later
MX610 MX611 LW71.SB7.P230 and previous LW71.SB7.P231 and later
XM3150 LW71.SB7.P230 and previous LW71.SB7.P231 and later
MX71x, MX81x LW71.TU.P230 and previous LW71.TU.P231 and later
XM51xx XM71xx LW71.TU.P230 and previous LW71.TU.P231 and later
MX91x XM91x LW71.MG.P230 and previous LW71.MG.P231 and later
MX6500e LW71.JD.P230 and previous LW71.JD.P231 and later
C746 LHS60.CM2.P705 and previous LHS60.CM2.P706 and later
C748, CS748 LHS60.CM4.P705 and previous LHS60.CM4.P706 and later
C792, CS796 LHS60.HC.P705 and previous LHS60.HC.P706 and later
C925 LHS60.HV.P705 and previous LHS60.HV.P706 and later
C950 LHS60.TP.P705 and previous LHS60.TP.P706 and later
X548 XS548 LHS60.VK.P705 and previous LHS60.VK.P706 and later
X74x XS748 LHS60.NY.P705 and previous LHS60.NY.P706 and later
X792 XS79x LHS60.MR.P705 and previous LHS60.MR.P706 and later
X925 XS925 LHS60.HK.P705 and previous LHS60.HK.P706 and later
X95x XS95x LHS60.TQ.P705 and previous LHS60.TQ.P706 and later
6500e LHS60.JR.P705 and previous LHS60.JR.P706 and later
C734 LR.SK.P815 and previous LR.SK.P816 and later
C736 LR.SKE.P815 and previous LR.SKE.P816 and later
E46x LR.LBH.P815 and previous LR.JBH.P816 and later
T65x LR.JP.P815 and previous LR.JP.P816 and later
X46x LR.BS.P815 and previous LR.BS.P816 and later
X65x LR.MN.P815 and previous LR.MN.P816 and later
X73x LR.FL.P815 and previous LR.FL.P816 and later
W850 LP.JB.P815 and previous LP.JB.P816 and later
X86x LP.SP.P815 and previous LP.SP.P816 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9930, CVE-2019-9932, CVE-2019-9933 advisory:

http://support.lexmark.com/index?page=content id=TE920 locale=EN userlocale=EN_US

CVE-2019-9930, CVE-2019-9932, CVE-2019-9933

https://nvd.nist.gov/vuln/detail/CVE-2019-9930
https://nvd.nist.gov/vuln/detail/CVE-2019-9932
https://nvd.nist.gov/vuln/detail/CVE-2019-9933

 

 

Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9934, CVE-2019-9935
Risk: 5.3 CVSSv3

Summary

Some Lexmark printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.

Details

Some Lexmark printers were found having several operational and configuration functionalities or files, which could be reached by an unauthenticated user.

CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models Affected Releases Fixed Releases
CS31x LW71.VYL.P229 and previous LW71.VYL.P230 and later
CS41x LW71.VY2.P229 and previous LW71.VY2.P230 and later
CX310 LW71.GM2.P229 and previous LW71.GM2.P230 and later
MS310, MS312, MS317 LW71.PRL.P229 and previous LW71.PRL.P230 and later
MS410, M1140 LW71.PRL.P229 and previous LW71.PRL.P230 and later
MS315, MS415, MS417 LW71.TL2.P229 and previous LW71.TL2.P230 and later
MX31x, XM1135 LW71.SB2.P229 and previous LW71.SB2.P230 and later
MS51x, MS610dn, MS617 LW71.PR2.P229 and previous LW71.PR2.P230 and later
M1145, M3150dn LW71.PR2.P229 and previous LW71.PR2.P230 and later
MS71x, M5163dn LW71.DN2.P229 and previous LW71.DN2.P230 and later
MS810, MS811, MS812, MS817, MS818 LW71.DN2.P229 and previous LW71.DN2.P230 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9934, CVE-2019-9935)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9934, CVE-2019-9935 advisory:

http://support.lexmark.com/index?page=content id=TE924 locale=EN userlocale=EN_US 

CVE-2019-9934, CVE-2019-9935

https://nvd.nist.gov/vuln/detail/CVE-2019-9934
https://nvd.nist.gov/vuln/detail/CVE-2019-9935

 

 

Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-10059
Risk: 5.3 CVSSv3

Summary

Some Lexmark printers were affected by an information disclosure vulnerability via the Finger service that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.

Details

The Lexmark printer implemented a finger service that allowed some sent commands to obtain useful debug information, similar to the information that can be obtained from CVE-2019-9934 and CVE-2019-9935 vulnerabilities.

CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

<

div style=”overflow-x: auto;”>

<

table style=”width: 100%;” border=”1″>

Lexmark Models
Affected Releases
Fixed Releases

CS31x
LW71.VYL.P233 and previous
LW71.VYL.P234 and later

CS41x
LW71.VY2.P233 and previous
LW71.VY2.P234 and later

CS51x
LW71.VY4.P233 and previous
LW71.VY4.P234 and later

CX310
LW71.GM2.P233 and previous
LW71.GM2.P234 and later

CX410 XC2130
LW71.GM4.P233 and previous
LW71.GM4.P234 and later

CX510 XC2132
LW71.GM7.P233 and previous
LW71.GM7.P234 and later

MS310, MS312, MS317
LW71.PRL.P233 and previous
LW71.PRL.P234 and later

MS410, M1140
LW71.PRL.P233 and previous
LW71.PRL.P234 and later

MS315, MS415, MS417
LW71.TL2.P233 and previous
LW71.TL2.P234 and later

MS51x, MS610dn, MS617
LW71.PR2.P233 and previous
LW71.PR2.P234 and later

M1145, M3150dn
LW71.PR2.P233 and previous
LW71.PR2.P234 and later

MS610de, M3150
LW71.PR4.P233 and previous
LW71.PR4.P234 and later

MS71x, M5163dn
LW71.DN2.P233 and previous
LW71.DN2.P234 and later

MS810, MS811, MS812, MS817, MS818
LW71.DN2.P233 and previous
LW71.DN2.P234 and later

MS810de, M5155, M5163
LW71.DN4.P233 and previous
LW71.DN4.P234 and later

MS812de, M5170
LW71.DN7.P233 and previous
LW71.DN7.P234 and later

MS91x
LW71.SA.P233 and previous
LW71.SA.P234 and later

MX31x, XM1135
LW71.SB2.P233 and previous
LW71.SB2.P234 and later

MX410, MX510 MX511
LW71.SB4.P233 and previous
LW71.SB4.P234 and later

XM1140, XM1145
LW71.SB4.P233 and previous
LW71.SB4.P234 and later

MX610 MX611
LW71.SB7.P233 and previous
LW71.SB7.P234 and later

XM3150
LW71.SB7.P233 and previous
LW71.SB7.P234 and later

MX71x, MX81x
LW71.TU.P233 and previous
LW71.TU.P234 and later

XM51xx XM71xx
LW71.TU.P233 and previous
LW71.TU.P234 and later

MX91x XM91x
LW71.MG.P233 and previous
LW71.MG.P234 and later

MX6500e
LW71.JD.P233 and previous
LW71.JD.P234 and later

C746
LHS60.CM2.P705 and previous
LHS60.CM2.P706 and later

C748, CS748
LHS60.CM4.P705 and previous
LHS60.CM4.P706 and later

C792, CS796
LHS60.HC.P705 and previous
LHS60.HC.P706 and later

C925
LHS60.HV.P705 and previous
LHS60.HV.P706 and later

C950
LHS60.TP.P705 and previous
LHS60.TP.P706 and later

X548 XS548
LHS60.VK.P705 and previous
LHS60.VK.P706 and later

X74x XS748
LHS60.NY.P705 and previous
LHS60.NY.P706 and later

X792 XS79x
LHS60.MR.P705 and previous
LHS60.MR.P706 and later

X925 XS925
LHS60.HK.P705 and previous
LHS60.HK.P706 and later

X95x XS95x
LHS60.TQ.P705 and previous
LHS60.TQ.P706 and later

6500e
LHS60.JR.P705 and previous
LHS60.JR.P706 and later

C734
LR.SK.P815 and previous
LR.SK.P816 and later

C736
LR.SKE.P815 and previous
LR.SKE.P816 and later

E46x
LR.LBH.P815 and previous
LR.JBH.P816 and later

T65x
LR.JP.P815 and previous
LR.JP.P816 and later

X46x
LR.BS.P815 and previous
LR.BS.P816 and later

X65x
LR.MN.P815 and previous
LR.MN.P816 and later

X73x