Published:2024/03/06  Last Updated:2024/03/06

JVN#82749078
Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management

Overview

Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities.

Products Affected

  • Printers and scanners which implement BROTHER Web Based Management
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed below.

Description

Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below.

  • Improper Authentication (CWE-287) - CVE-2024-21824
    CVSS v3 CVSS:3.0/AV:A/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N Base Score: 5.3
    CVSS v2 AV:A/AC:M/Au:N/C:P/I:N/A:N Base Score: 2.9
  • Cross-Site Request Forgery (CWE-352) - CVE-2024-22475
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N Base Score: 4.3
    CVSS v2 AV:N/AC:H/Au:N/C:N/I:P/A:N Base Score: 2.6

Impact

  • A network-adjacent user who can access the product may impersonate an administrative user - CVE-2024-21824
  • If a user views a malicious page while logged in, unintended operations may be performed - CVE-2024-22475

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the respective vendors.

Apply the workaround
Applying the workarounds may mitigate the impact of CVE-2024-22475 vulnerability.

For the details of the updates, refer to the information provided by the respective vendors on [Vendor Status] section.

Vendor Status

Vendor Status Last Update Vendor Notes
Brother Industries, Ltd. Vulnerable 2024/03/06 Brother Industries, Ltd. website
FUJIFILM Business Innovation Corp. Vulnerable 2024/03/06 FUJIFILM Business Innovation Corp. website
RICOH COMPANY, LTD. Vulnerable 2024/03/06 RICOH COMPANY, LTD. website
TOSHIBA TEC CORPORATION Vulnerable 2024/03/06 TOSHIBA TEC CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Hiroki Yasui, Yudai Morii, Takaya Noma, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-21824
CVE-2024-22475
JVN iPedia JVNDB-2024-000026