Published:2021/03/19 Last Updated:2021/04/09
JVN#37607293
Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS)
Overview
Fuji Xerox multifunction devices and printers contain a denial-of-service (DoS) vulnerability.
Products Affected
A wide range of the products is affected.
For more information, refer to the information provided by the developer.
Description
Multifunction devices and printers provided by Fuji Xerox Co.,Ltd. contain a denial-of-service (DoS) vulnerability.
Impact
An attacker may cause the products to be terminated by sending a specially crafted command.
In order to restart the products, the physical power button on the devices must be operated.
Solution
Update the Firmware
- Multifunction devices
- Update to the latest version according to the information provided by the developer. The updated firmware is to be downloaded through the network using the remote maintenance service or to be applied by customer service engineers. For more information, contact the developer.
- Printers
- Update to the latest version according to the information provided by the developer.
Apply Workarounds
Apply the following workarounds to mitigate the impact of this vulnerability:
- Locate the product in a secure network such as a network protected by firewalls.
- Permit access from trusted IP addresses when accessing Internet.
- Use secure methods, such as Virtual Private Networks (VPNs) when a remote access is necessary.
Vendor Status
| Vendor | Status | Last Update | Vendor Notes |
|---|---|---|---|
| Fuji Xerox Co.,Ltd. | Vulnerable | 2021/04/07 | Fuji Xerox Co.,Ltd. website |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
CVSS v3
CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:L
Base Score:
4.3
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
CVSS v2
AV:A/AC:L/Au:N/C:N/I:N/A:P
Base Score:
3.3
| Access Vector(AV) | Local (L) | Adjacent Network (A) | Network (N) |
|---|---|---|---|
| Access Complexity(AC) | High (H) | Medium (M) | Low (L) |
| Authentication(Au) | Multiple (M) | Single (S) | None (N) |
| Confidentiality Impact(C) | None (N) | Partial (P) | Complete (C) |
| Integrity Impact(I) | None (N) | Partial (P) | Complete (C) |
| Availability Impact(A) | None (N) | Partial (P) | Complete (C) |
Credit
Masahiro Kawada of Ierae Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2021-20679 |
| JVN iPedia |
JVNDB-2021-000026 |
Update History
- 2021/04/07
- Fuji Xerox Co.,Ltd. update status
- 2021/04/09
- The hyperlink URL under [Products Affected] was updated