JVNVU#93767756
Null pointer dereference vulnerability in multiple printers and MFPs which implement BROTHER debut web server
Overview
Multiple printers and MFPs (multifunction printers) which implement BROTHER debut web server contain a null pointer dereference vulnerability.
Products Affected
- Specific products/models/versions which implement debut web server 1.20 or 1.30
Description
Multiple printers and MFPs (multifunction printers) which implement Brother debut web server contain a null pointer dereference vulnerability (CWE-476, CVE-2023-29984).
Impact
Processing a specially crafted request may lead the affected products to a denial-of-service (DoS) condition.
Solution
Update the firmware
Apply the appropriate firmware update according to the information provided by the respective vendors.
For the details of the updates, refer to the information provided by the respective vendors from [Vendor Status] section.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Brother Industries, Ltd. | Vulnerable | 2023/06/29 | Brother Industries, Ltd. website |
| FUJIFILM Business Innovation Corp. | Vulnerable | 2023/06/29 | FUJIFILM Business Innovation Corp. website |
| TOSHIBA TEC CORPORATION | Vulnerable | 2023/06/29 | TOSHIBA TEC CORPORATION website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Credit
Darren Johnson directly reported this vulnerability to BROTHER INDUSTRIES, LTD. and FUJIFILM Business Innovation Corp., and both vendors reported this case to JPCERT/CC to request the coordination between the reporter and the susceptible multiple vendors.