Published:2020/02/25  Last Updated:2020/02/25

JVN#52962201
Multiple vulnerabilities in RICOH printers

Overview

RICOH printers contain multiple vulnerabilities.

Products Affected

A wide range of the products is affected.
For more information, refer to the information provided by the developer.

Description

Multiple RICOH printers contain multiple vulnerabilities listed below.

  • Information Disclosure (CWE-200) - CVE-CVE-2019-14301
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3
  • Improper Access Control (CWE-284) - CVE-2019-14302
    CVSS v3 CVSS:3.0/AV:P/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H Base Score: 6.8
    CVSS v2 AV:L/AC:L/Au:N/C:P/I:P/A:P Base Score: 4.6
  • Cross-site Request Forgery (CWE-352) - CVE-2019-14304
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L Base Score: 5.4
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:P Base Score: 4.0
  • Improper Authentication (CWE-287) - CVE-2019-14306
    CVSS v3 CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 6.5
    CVSS v2 AV:A/AC:L/Au:N/C:P/I:N/A:N Base Score: 3.3

Impact

  • A user who can access the device may access the debugging Web page and obtain sensitive information - CVE-2019-14301
  • A user who can physically access the device may execute arbitrary code, alter settings, and/or disable the function - CVE-2019-14302
  • If a user accesses a specially crafted page, unintended operations such as changing settings of the device may be performed - CVE-2019-14304
  • A user who can access the device may the device settings information - CVE-2019-14306

Solution

Update the Firmware
Apply the appropriate firmware update according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
RICOH COMPANY, LTD. Vulnerable 2020/02/25 RICOH COMPANY, LTD. website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

RICOH COMPANY, LTD. reported this vulnerability to IPA to notify users of its solution through JVN. JPCERT/CC and RICOH COMPANY, LTD. coordinated under the Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2019-14301
CVE-2019-14302
CVE-2019-14304
CVE-2019-14306
JVN iPedia JVNDB-2019-014136
JVNDB-2019-014137
JVNDB-2019-014031
JVNDB-2019-014138