Thank you for your feedback



Lexmark Security Advisory: MarkVision Unauthorized Access Vulnerability

Document ID:TE530
 
  Properties  

Solution

Lexmark Security Advisory:

Revision: 1.0
Last Update: 22 April 2013
Public Release Date: 22 April 2013
 

Summary

Unauthorized access vulnerability
 
MarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to access and modify configuration data and fleet management information, in addition to executing commands within the application.
 

References

CVE: CVE-2013-3055
 

Affected Products

MarkVision Enterprise; for specific details see “Software Versions & Fixes”.
 

Details

MarkVision Enterprise is a tool that gives IT professionals the ability to track and monitor thousands of print devices.
In some versions of MarkVision Enterprise a diagnostic port is active listening on TCP port 9789. This port provides unauthenticated access to application data and the ability to execute code within the application framework.

 

Impact

Successful exploitation of this vulnerability can lead to the disclosure of user and device data stored in the MarkVision Enterprise database, and the ability to execute code within the MarkVision platform. 
 

Vulnerability Scoring Details

CVSS Base Score 9.3

Exploitability

 

 

Impact

 

Access Vector: 

Network 

 

Confidentiality:

Complete

Access Complexity:

Medium 

 

Integrity:

Complete

Authentication: 

None

 

Availability:

Complete

CVSS scores are calculated in accordance with CVSS version 2.0.
 

Workarounds

Block access to port 9789 on the computer which hosts the MarkVision Enterprise server. Please contact the Lexmark Technical Support Center at 1-800-539-6275 for additional information. 
 

Software Versions and Fixes

The vulnerability described in this advisory has been fixed in MarkVision Enterprise v1.8 and all future releases. 
 

Obtaining Updated Software

To obtain MarkVision Enterprise v1.8, please navigate to http://www.lexmark.com/markvision
 

Exploitation and Public Announcements

Lexmark is not aware of any malicious use of the vulnerability described in this advisory. Information about this vulnerability has not been published by others previous to this advisory.
 

Status of this Notice

This document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.
 

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location.
 

Revision History

Revision

Date 

Reason

1.0

4/22/13

Initial Publication

 

 

 

 
Revision Date Reason

1.0 4/22/13 Initial Publication 

 



Link:
Please enter the email address you would like to send a copy of this page to.