Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers.
The vulnerability list below was found affecting to several Lexmark printers:
SNMP Denial of Service Vulnerability (CVE-2019-9931)
Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)
Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-10057)
No Account Lockout Implemented (CVE-2019-10058)
Technical Advisories:
SNMP Denial of Service Vulnerability (CVE-2019-9931)
Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9931
Risk: 7.5 CVSSv3
Summary
Some Lexmark printers contain a denial of service vulnerability in their SNMP service. This vulnerability can be exploited to crash the device.
Impact
Successful exploitation of this vulnerability can lead to a denial of service on the affected device by causing it to crash.
Details
A specially crafted request to the SNMP service will cause a vulnerable device to crash. If the “General Settings”->Error Recovery” setting is set to “Auto Reboot” (the default) then the device will automatically reboot until the “Max Auto Reboots” limit is reached.
CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact Subscore: 3.6
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts to follow at Vendor’s request for time to patch.
Devices Affected
The table below shows the devices and firmware versions affected:
| Lexmark Models | Affected Releases | Fixed Releases |
| CS31x | LW71.VYL.P230 and previous | LW71.VYL.P231 and later |
| CS41x | LW71.VY2.P230 and previous | LW71.VY2.P231 and later |
| CS51x | LW71.VY4.P230 and previous | LW71.VY4.P231 and later |
| CX310 | LW71.GM2.P230 and previous | LW71.GM2.P231 and later |
| CX410 XC2130 | LW71.GM4.P230 and previous | LW71.GM4.P231 and later |
| CX510 XC2132 | LW71.GM7.P230 and previous | LW71.GM7.P231 and later |
| MS310, MS312, MS317 | LW71.PRL.P230 and previous | LW71.PRL.P231 and later |
| MS410, M1140 | LW71.PRL.P230 and previous | LW71.PRL.P231 and later |
| MS315, MS415, MS417 | LW71.TL2.P230 and previous | LW71.TL2.P231 and later |
| MS51x, MS610dn, MS617 | LW71.PR2.P230 and previous | LW71.PR2.P231 and later |
| M1145, M3150dn | LW71.PR2.P230 and previous | LW71.PR2.P231 and later |
| MS610de, M3150 | LW71.PR4.P230 and previous | LW71.PR4.P231 and later |
| MS71x, M5163dn | LW71.DN2.P230 and previous | LW71.DN2.P231 and later |
| MS810, MS811, MS812, MS817,MS818 | LW71.DN2.P230 and previous | LW71.DN2.P231 and later |
| MS810de, M5155, M5163 | LW71.DN4.P230 and previous | LW71.DN4.P231 and later |
| MS812de, M5170 | LW71.DN7.P230 and previous | LW71.DN7.P231 and later |
| MS91x | LW71.SA.P230 and previous | LW71.SA.P231 and later |
| MX31x, XM1135 | LW71.SB2.P230 and previous | LW71.SB2.P231 and later |
| MX410, MX510 MX511 | LW71.SB4.P230 and previous | LW71.SB4.P231 and later |
| XM1140, XM1145 | LW71.SB4.P230 and previous | LW71.SB4.P231 and later |
| MX610 MX611 | LW71.SB7.P230 and previous | LW71.SB7.P231 and later |
| XM3150 | LW71.SB7.P230 and previous | LW71.SB7.P231 and later |
| MX71x, MX81x | LW71.TU.P230 and previous | LW71.TU.P231 and later |
| XM51xx XM71xx | LW71.TU.P230 and previous | LW71.TU.P231 and later |
| MX91x XM91x | LW71.MG.P230 and previous | LW71.MG.P231 and later |
| MX6500e | LW71.JD.P230 and previous | LW71.JD.P231 and later |
| C746 | LHS60.CM2.P697 and previous | LHS60.CM2.P698 and later |
| C748, CS748 | LHS60.CM4.P697 and previous | LHS60.CM4.P698 and later |
| C792, CS796 | LHS60.HC.P697 and previous | LHS60.HC.P698 and later |
| C925 | LHS60.HV.P697 and previous | LHS60.HV.P698 and later |
| C950 | LHS60.TP.P697 and previous | LHS60.TP.P698 and later |
| X548 XS548 | LHS60.VK.P697 and previous | LHS60.VK.P698 and later |
| X74x XS748 | LHS60.NY.P697 and previous | LHS60.NY.P698 and later |
| X792 XS79x | LHS60.MR.P697 and previous | LHS60.MR.P698 and later |
| X925 XS925 | LHS60.HK.P697 and previous | LHS60.HK.P698 and later |
| X95x XS95x | LHS60.TQ.P697 and previous | LHS60.TQ.P698 and later |
| 6500e | LHS60.JR.P697 and previous | LHS60.JR.P698 and later |
| C734 | LR.SK.P814 and previous | LR.SK.P815 and later |
| C736 | LR.SKE.P814 and previous | LR.SKE.P815 and later |
| E46x | LR.LBH.P814 and previous | LR.JBH.P815 and later |
| T65x | LR.JP.P814 and previous | LR.JP.P815 and later |
| X46x | LR.BS.P814 and previous | LR.BS.P815 and later |
| X65x | LR.MN.P814 and previous | LR.MN.P815 and later |
| X73x | LR.FL.P814 and previous | LR.FL.P815 and later |
| W850 | LP.JB.P814 and previous | LP.JB.P815 and later |
| X86x | LP.SP.P814 and previous | LP.SP.P815 and later |
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process. 2019-05-20: Lexmark Advisory released (CVE-2019-9931) 2019-05-29: NCC Group Advisory released
References
Lexmark CVE-2019-9931 advisory:
http://support.lexmark.com/index?page=content id=TE919 locale=EN userlocale=EN_US
https://nvd.nist.gov/vuln/detail/CVE-2019-9931
Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9930, CVE-2019-9932, CVE-2019-9933
Risk: 9.8 CVSSv3
Summary
Some Lexmark printers were affected by multiple overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to remote code execution on the affected device.
Details
Specially crafted requests to the web server will cause a vulnerable device to crash. Two buffer overflows and an integer overflow vulnerability have been identified in the embedded web server of Lexmark devices that allow an attacker to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts to follow at Vendor’s request for time to patch.
Devices Affected
The table below shows the devices and firmware versions affected:
| Lexmark Models | Affected Releases | Fixed Releases |
| CS31x | LW71.VYL.P230 and previous | LW71.VYL.P231 and later |
| CS41x | LW71.VY2.P230 and previous | LW71.VY2.P231 and later |
| CS51x | LW71.VY4.P230 and previous | LW71.VY4.P231 and later |
| CX310 | LW71.GM2.P230 and previous | LW71.GM2.P231 and later |
| CX410 XC2130 | LW71.GM4.P230 and previous | LW71.GM4.P231 and later |
| CX510 XC2132 | LW71.GM7.P230 and previous | LW71.GM7.P231 and later |
| MS310, MS312, MS317 | LW71.PRL.P230 and previous | LW71.PRL.P231 and later |
| MS410, M1140 | LW71.PRL.P230 and previous | LW71.PRL.P231 and later |
| MS315, MS415, MS417 | LW71.TL2.P230 and previous | LW71.TL2.P231 and later |
| MS51x, MS610dn, MS617 | LW71.PR2.P230 and previous | LW71.PR2.P231 and later |
| M1145, M3150dn | LW71.PR2.P230 and previous | LW71.PR2.P231 and later |
| MS610de, M3150 | LW71.PR4.P230 and previous | LW71.PR4.P231 and later |
| MS71x, M5163dn | LW71.DN2.P230 and previous | LW71.DN2.P231 and later |
| MS810, MS811, MS812, MS817, MS818 | LW71.DN2.P230 and previous | LW71.DN2.P231 and later |
| MS810de, M5155, M5163 | LW71.DN4.P230 and previous | LW71.DN4.P231 and later |
| MS812de, M5170 | LW71.DN7.P230 and previous | LW71.DN7.P231 and later |
| MS91x | LW71.SA.P230 and previous | LW71.SA.P231 and later |
| MX31x, XM1135 | LW71.SB2.P230 and previous | LW71.SB2.P231 and later |
| MX410, MX510 MX511 | LW71.SB4.P230 and previous | LW71.SB4.P231 and later |
| XM1140, XM1145 | LW71.SB4.P230 and previous | LW71.SB4.P231 and later |
| MX610 MX611 | LW71.SB7.P230 and previous | LW71.SB7.P231 and later |
| XM3150 | LW71.SB7.P230 and previous | LW71.SB7.P231 and later |
| MX71x, MX81x | LW71.TU.P230 and previous | LW71.TU.P231 and later |
| XM51xx XM71xx | LW71.TU.P230 and previous | LW71.TU.P231 and later |
| MX91x XM91x | LW71.MG.P230 and previous | LW71.MG.P231 and later |
| MX6500e | LW71.JD.P230 and previous | LW71.JD.P231 and later |
| C746 | LHS60.CM2.P705 and previous | LHS60.CM2.P706 and later |
| C748, CS748 | LHS60.CM4.P705 and previous | LHS60.CM4.P706 and later |
| C792, CS796 | LHS60.HC.P705 and previous | LHS60.HC.P706 and later |
| C925 | LHS60.HV.P705 and previous | LHS60.HV.P706 and later |
| C950 | LHS60.TP.P705 and previous | LHS60.TP.P706 and later |
| X548 XS548 | LHS60.VK.P705 and previous | LHS60.VK.P706 and later |
| X74x XS748 | LHS60.NY.P705 and previous | LHS60.NY.P706 and later |
| X792 XS79x | LHS60.MR.P705 and previous | LHS60.MR.P706 and later |
| X925 XS925 | LHS60.HK.P705 and previous | LHS60.HK.P706 and later |
| X95x XS95x | LHS60.TQ.P705 and previous | LHS60.TQ.P706 and later |
| 6500e | LHS60.JR.P705 and previous | LHS60.JR.P706 and later |
| C734 | LR.SK.P815 and previous | LR.SK.P816 and later |
| C736 | LR.SKE.P815 and previous | LR.SKE.P816 and later |
| E46x | LR.LBH.P815 and previous | LR.JBH.P816 and later |
| T65x | LR.JP.P815 and previous | LR.JP.P816 and later |
| X46x | LR.BS.P815 and previous | LR.BS.P816 and later |
| X65x | LR.MN.P815 and previous | LR.MN.P816 and later |
| X73x | LR.FL.P815 and previous | LR.FL.P816 and later |
| W850 | LP.JB.P815 and previous | LP.JB.P816 and later |
| X86x | LP.SP.P815 and previous | LP.SP.P816 and later |
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process. 2019-05-20: Lexmark Advisory released (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933) 2019-05-29: NCC Group Advisory released
References
Lexmark CVE-2019-9930, CVE-2019-9932, CVE-2019-9933 advisory:
http://support.lexmark.com/index?page=content id=TE920 locale=EN userlocale=EN_US
CVE-2019-9930, CVE-2019-9932, CVE-2019-9933
https://nvd.nist.gov/vuln/detail/CVE-2019-9930
https://nvd.nist.gov/vuln/detail/CVE-2019-9932
https://nvd.nist.gov/vuln/detail/CVE-2019-9933
Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)
Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9934, CVE-2019-9935
Risk: 5.3 CVSSv3
Summary
Some Lexmark printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.
Impact
Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.
Details
Some Lexmark printers were found having several operational and configuration functionalities or files, which could be reached by an unauthenticated user.
CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts to follow at Vendor’s request for time to patch.
Devices Affected
The table below shows the devices and firmware versions affected:
| Lexmark Models | Affected Releases | Fixed Releases |
| CS31x | LW71.VYL.P229 and previous | LW71.VYL.P230 and later |
| CS41x | LW71.VY2.P229 and previous | LW71.VY2.P230 and later |
| CX310 | LW71.GM2.P229 and previous | LW71.GM2.P230 and later |
| MS310, MS312, MS317 | LW71.PRL.P229 and previous | LW71.PRL.P230 and later |
| MS410, M1140 | LW71.PRL.P229 and previous | LW71.PRL.P230 and later |
| MS315, MS415, MS417 | LW71.TL2.P229 and previous | LW71.TL2.P230 and later |
| MX31x, XM1135 | LW71.SB2.P229 and previous | LW71.SB2.P230 and later |
| MS51x, MS610dn, MS617 | LW71.PR2.P229 and previous | LW71.PR2.P230 and later |
| M1145, M3150dn | LW71.PR2.P229 and previous | LW71.PR2.P230 and later |
| MS71x, M5163dn | LW71.DN2.P229 and previous | LW71.DN2.P230 and later |
| MS810, MS811, MS812, MS817, MS818 | LW71.DN2.P229 and previous | LW71.DN2.P230 and later |
Vendor Communication
2019-02-06: Responsible Vulnerability Disclosure process initialized Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process. 2019-05-20: Lexmark Advisory released (CVE-2019-9934, CVE-2019-9935) 2019-05-29: NCC Group Advisory released
References
Lexmark CVE-2019-9934, CVE-2019-9935 advisory:
http://support.lexmark.com/index?page=content id=TE924 locale=EN userlocale=EN_US
https://nvd.nist.gov/vuln/detail/CVE-2019-9934
https://nvd.nist.gov/vuln/detail/CVE-2019-9935
Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)
Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-10059
Risk: 5.3 CVSSv3
Summary
Some Lexmark printers were affected by an information disclosure vulnerability via the Finger service that provided sensitive information to an unauthenticated user.
Impact
Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.
Details
The Lexmark printer implemented a finger service that allowed some sent commands to obtain useful debug information, similar to the information that can be obtained from CVE-2019-9934 and CVE-2019-9935 vulnerabilities.
CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts to follow at Vendor’s request for time to patch.
Devices Affected
The table below shows the devices and firmware versions affected:
<
div style=”overflow-x: auto;”>
<
table style=”width: 100%;” border=”1″>
Lexmark Models
Affected Releases
Fixed Releases
CS31x
LW71.VYL.P233 and previous
LW71.VYL.P234 and later
CS41x
LW71.VY2.P233 and previous
LW71.VY2.P234 and later
CS51x
LW71.VY4.P233 and previous
LW71.VY4.P234 and later
CX310
LW71.GM2.P233 and previous
LW71.GM2.P234 and later
CX410 XC2130
LW71.GM4.P233 and previous
LW71.GM4.P234 and later
CX510 XC2132
LW71.GM7.P233 and previous
LW71.GM7.P234 and later
MS310, MS312, MS317
LW71.PRL.P233 and previous
LW71.PRL.P234 and later
MS410, M1140
LW71.PRL.P233 and previous
LW71.PRL.P234 and later
MS315, MS415, MS417
LW71.TL2.P233 and previous
LW71.TL2.P234 and later
MS51x, MS610dn, MS617
LW71.PR2.P233 and previous
LW71.PR2.P234 and later
M1145, M3150dn
LW71.PR2.P233 and previous
LW71.PR2.P234 and later
MS610de, M3150
LW71.PR4.P233 and previous
LW71.PR4.P234 and later
MS71x, M5163dn
LW71.DN2.P233 and previous
LW71.DN2.P234 and later
MS810, MS811, MS812, MS817, MS818
LW71.DN2.P233 and previous
LW71.DN2.P234 and later
MS810de, M5155, M5163
LW71.DN4.P233 and previous
LW71.DN4.P234 and later
MS812de, M5170
LW71.DN7.P233 and previous
LW71.DN7.P234 and later
MS91x
LW71.SA.P233 and previous
LW71.SA.P234 and later
MX31x, XM1135
LW71.SB2.P233 and previous
LW71.SB2.P234 and later
MX410, MX510 MX511
LW71.SB4.P233 and previous
LW71.SB4.P234 and later
XM1140, XM1145
LW71.SB4.P233 and previous
LW71.SB4.P234 and later
MX610 MX611
LW71.SB7.P233 and previous
LW71.SB7.P234 and later
XM3150
LW71.SB7.P233 and previous
LW71.SB7.P234 and later
MX71x, MX81x
LW71.TU.P233 and previous
LW71.TU.P234 and later
XM51xx XM71xx
LW71.TU.P233 and previous
LW71.TU.P234 and later
MX91x XM91x
LW71.MG.P233 and previous
LW71.MG.P234 and later
MX6500e
LW71.JD.P233 and previous
LW71.JD.P234 and later
C746
LHS60.CM2.P705 and previous
LHS60.CM2.P706 and later
C748, CS748
LHS60.CM4.P705 and previous
LHS60.CM4.P706 and later
C792, CS796
LHS60.HC.P705 and previous
LHS60.HC.P706 and later
C925
LHS60.HV.P705 and previous
LHS60.HV.P706 and later
C950
LHS60.TP.P705 and previous
LHS60.TP.P706 and later
X548 XS548
LHS60.VK.P705 and previous
LHS60.VK.P706 and later
X74x XS748
LHS60.NY.P705 and previous
LHS60.NY.P706 and later
X792 XS79x
LHS60.MR.P705 and previous
LHS60.MR.P706 and later
X925 XS925
LHS60.HK.P705 and previous
LHS60.HK.P706 and later
X95x XS95x
LHS60.TQ.P705 and previous
LHS60.TQ.P706 and later
6500e
LHS60.JR.P705 and previous
LHS60.JR.P706 and later
C734
LR.SK.P815 and previous
LR.SK.P816 and later
C736
LR.SKE.P815 and previous
LR.SKE.P816 and later
E46x
LR.LBH.P815 and previous
LR.JBH.P816 and later
T65x
LR.JP.P815 and previous
LR.JP.P816 and later
X46x
LR.BS.P815 and previous
LR.BS.P816 and later
X65x
LR.MN.P815 and previous
LR.MN.P816 and later
X73x
