Thank you for your feedback



Lexmark Security Advisory: Lexmark Services Monitor (LSM) Directory Traversal Vulnerability (CVE-2019-16758)

Document ID:TE930

Usergroup :External
  Languages  
  Properties  

Solution

Lexmark Security Advisory:

 Revision: 1.0
 Last update:    06 Dec 2019
 Public Release Date: 18 Dec 2019

 

Summary

Lexmark Services Monitor, (LSM) contains a directory traversal vulnerability that can be exploited to extract files from the operating system on which LSM is installed.

Lexmark Services Monitor is no longer supported; all users should migrate to Lexmark Remote Asset Manager (LRAM). 

 

References

CVE:  

CVE-2019-16758

 

Details

A vulnerability has been identified in the discontinued Lexmark Services Monitor (LSM) product that allows files to be retrieved from the system on which LSM is running. The vulnerability allows an unauthenticated user to access any information stored on the LSM system.

LSM is a discontinued product; all users should migrate to Lexmark Remote Asset Manager (LRAM).

CVSSv3.1 Base Score 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6  
Exploitability Subscore: 3.9  

CVSSv3.1 scores are calculated in accordance with CVSS version 3.1 (https://www.first.org/cvss/user-guide)

 

Impact 

Successful exploitation of this vulnerability can lead to disclosure of all information stored on the system running LSM.

 

Affected Products

All systems running Lexmark Services Monitor are affected.

 

Obtaining Updated Software

To obtain software that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com to find your local support center.

 

Workarounds

Lexmark recommends replacing Lexmark Services Monitor (LSM) with Lexmark Remote Asset Manager (LRAM).

 

Exploitation and Public Announcements

Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Lexmark would like to thank Kevin Randall of TECH LOCK Inc. for bringing this issue to our attention.

 

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

 

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location..

 

Revision History

Revision Date Reason
1.0 18 Dec 2019 Initial Public Release

 

 

 Top



Link:
Please enter the email address you would like to send a copy of this page to.