JVN#34328023
FUJIFILM Business Innovation Corp. printers vulnerable to cross-site request forgery
Overview
FUJIFILM Business Innovation Corp. printers contain a cross-site request forgery vulnerability.
Products Affected
As for the details of affected product names, model numbers, and versions, refer to the information provided by the vendor listed below.
Description
Multiple printers provided by FUJIFILM Business Innovation Corp. contain a cross-site request forgery vulnerability (CWE-352).
Impact
If a user views a malicious page while logging in, the user information may be altered. In the case the user is an administrator, the settings such as the administrator's ID, password, etc. may be altered.
Solution
Apply workarounds
The developer states that there are some obsolite models where CSRF prevention function is not implemented.
For those models, applying the following workaround may mitigate the impact of this vulnerability.
- Disable Web UI communication function in the product's settings
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | Notification on the vulnerability for CentreWare Internet Services or Internet Services in FUJIFILM printers |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Junnosuke Kushibiki, Ryu Kuki, Masataka Mizokuchi, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2024-27974 |
| JVN iPedia |
JVNDB-2024-000027 |