|Last update:||12 December 2018|
|Public Release Date:||18 December 2018|
Many older Lexmark devices contain a directory traversal vulnerability
A directory traversal vulnerability has been identified in the embedded web server used in older generation Lexmark devices. The vulnerability allows unauthenticated access to sensitive files on the device.
|CVSS v3 Base Score:||7.5||(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NH)|
CVSSv3 scores are calculated in accordance with CVSS version 3.0
Successful exploitation of this vulnerability can lead to the disclosure of configuration and operating system information on the affected device.
To determine a devices firmware level, select the “Settings” > “Reports” > ”Menu Setting Page” menu item from the operator panel. If the firmware level listed under “Device Information” matches any level under “Affected Releases”, then you should upgrade to a “Fixed Release”.
|Lexmark Models||Affected Releases||Fixed Releases|
|CS41x||LW71.VY2.P215 and previous||LW71.VY2.P216 and later|
|CS51x||LW71.VY4.P215 and previous||LW71.VY4.P216 and later|
|CX410||LW71.GM4.P215 and previous||LW71.GM4.P216 and later|
|CX510, XC2132||LW71.GM7.P215 and previous||LW71.GM7.P216 and later|
|MS610de, MS610dte||LW71.PR4.P215 and previous||LW71.PR4.P216 and later|
|M3150||LW71.PR4.P215 and previous||LW71.PR4.P216 and later|
|MS810de||LW71.DN4.P215 and previous||LW71.DN4.P216 and later|
|M5155, M5163||LW71.DN4.P215 and previous||LW71.DN4.P216 and later|
|MS812de||LW71.DN7.P215 and previous||LW71.DN7.P216 and later|
|M5170||LW71.DN7.P215 and previous||LW71.DN7.P216 and later|
|MS91x||LW71.SA.P215 and previous||LW71.SA.P216 and later|
|MX410, MX510, MX511||LW71.SB4.P215 and previous||LW71.SB4.P216 and later|
|XM1145||LW71.SB4.P215 and previous||LW71.SB4.P216 and later|
|MX610, MX611||LW71.SB7.P215 and previous||LW71.SB7.P216 and later|
|XM3150||LW71.SB7.P215 and previous||LW71.SB7.P216 and later|
|MX71x||LW71.TU.P215 and previous||LW71.TU.P216 and later|
|MX81x||LW71.TU.P215 and previous||LW71.TU.P216 and later|
|XM51xx, XM71xx||LW71.TU.P215 and previous||LW71.TU.P216 and later|
|MX91x, SM91x||LW71.MG.P215 and previous||LW71.MG.P216 and later|
|MX6500e||LW71.JD.P215 and previous||LW71.JD.P216 and later|
|C748, CS748||LHS60.CM4.P682 and previous||LHS60.CM4.P683 and previous|
|C79x, CS796||LHS60.HC.P682 and previous||LHS60.HC.P683 and previous|
|C925||LHS60.HV.P682 and previous||LHS60.HV.P683 and previous|
|C95x||LHS60.TP.P682 and previous||LHS60.TP.P683 and previous|
|X548, XS548||LHS60.VK.P682 and previous||LHS60.VK.P683 and previous|
|X74x, XS478||LHS60.NY.P682 and previous||LHS60.NY.P683 and previous|
|X792, XS79x||LHS60.MR.P682 and previous||LHS60.MR.P683 and previous|
|X925, XS925||LHS60.HK.P682 and previous||LHS60.HK.P683 and previous|
|X95x, XS95x||LHS60.TQ.P682 and previous||LHS60.TQ.P683 and previous|
|6500e||LHS60.JR.P682 and previous||LHS60.JR.P683 and previous|
|X46x||LR.BS.P809 and previous||LR.BS.P810 and previous|
|X65x||LR.MN.P809 and previous||LR.MN.P810 and previous|
|X73x||LR.FL.P809 and previous||LR.FL.P810 and previous|
|X86x||LR.SP.P809 and previous||LR.SP.P810 and previous|
Obtaining Updated Software
To obtain firmware that resolves this issue, or if you have special code, please contact Lexmark's Technical Support Center at http://support.lexmark.com to find your local support center.
Lexmark recommends a firmware update if your device has affected firmware.
Exploitation and Public Announcements
Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.
Lexmark would like to thank Benjamin Rollin of GuidePoint Security for bringing this to our attention.
Status of this Notice:
THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.
This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location.
|1.0||18 December 2018||Initial Public Release|