Thank you for your feedback



Lexmark Security Advisory: Cross Site Request Forgery (CVE-2019-10057)

Document ID:TE921

Usergroup :External
  Languages  
  Properties  

Solution

Lexmark Security Advisory:

 Revision:  1.0
 Last update:     10 May 2019
 Public Release Date:  20 May 2019

 

 

Summary

Many older Lexmark devices embedded web server contain a cross site request forgery attack vulnerability that allows a local account password to be changed without the knowledge of the authenticated user.

 

 

References

CVE:   CVE-2019-10057

 

 

Details
 

A vulnerability has been identified in the embedded web server used in older generation Lexmark devices. 
The vulnerability allows an attacker to fool an authenticated user into changing their password.


CVSSv3 Base Score 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6  
Exploitability Subscore: 2.8  

  

CVSSv3 scores are calculated in accordance with CVSS version 3.0   (https://www.first.org/cvss/user-guide)

 

 

Impact
 

Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.

 

 

Affected Products


To determine a devices firmware level, select the “Settings”->“Reports”->”Menu Setting Page” menu item from the operator panel.  If the firmware level listed under “Device Information” matches any level under
“Affected Releases”, then upgrade to a “Fixed Release”.


Lexmark Models Affected Releases Fixed Releases
CS31x LW71.VYL.P228 and later LW71.VY4.P229 and later
CS41x LW71.VY2.P228 and later LW71.VY2.P229 and later
CX310 LW71.GM2.P228 and later LW71.GM2.P229 and later
MS310, MS312, MS317 LW71.PRL.P228 and later LW71.PRL.P229 and later
MS410, M1140 LW71.PRL.P228 and later LW71.PRL.P229 and later
MS315, MS415, MS417 LW71.TL2.P228 and later LW71.TL2.P229 and later
MX31x, XM1135 LW71.SB2.P228 and later LW71.SB2.P229 and later
MS51x, MS610dn, MS617 LW71.PR2.P228 and later LW71.PR2.P229 and later
M1145, M3150dn LW71.PR2.P228 and later LW71.PR2.P229 and later
MS71x, M5163dn LW71.DN2.P228 and later LW71.DN2.P229 and later
MS810, MS811, MS812, MS817, MS818 LW71.DN2.P228 and later LW71.DN2.P229 and later

 

 

Obtained Updated Software


To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com to find your local support center.

 

 

Workarounds


Lexmark recommends a firmware update if your device has affected firmware.

 

 

Exploitation and Public Announcements


Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Lexmark would like to thank Daniel Romero and Mario Rivas of NCC group for bringing this issue to our attention.

 

 

 

Status of this Notice:


THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

 

  

Distribution


This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts
Future updates to this document will be posted on Lexmark’s web site at the same location.

 

 

Revision History

 

Revision Date Reason
1.0 20 - May - 2019 Initial Public Release

 

 Top



Link:
Please enter the email address you would like to send a copy of this page to.