Published:2018/12/06  Last Updated:2018/12/06

JVN#89767228
Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners

Overview

Multiple SEIKO EPSON printers and scanners contain multiple vulnerabilities.

Products Affected

  • DS-570W firmware versions released prior to March 13, 2018
  • DS-780N firmware versions released prior to March 13, 2018
  • EP-10VA firmware versions released prior to September 4, 2017
  • EP-30VA firmware versions released prior to June 19, 2017
  • EP-707A firmware versions released prior to August 1, 2017
  • EP-708A firmware versions released prior to August 7, 2017
  • EP-709A firmware versions released prior to June 12, 2017
  • EP-777A firmware versions released prior to August 1, 2017
  • EP-807AB/AW/AR firmware versions released prior to August 1, 2017
  • EP-808AB/AW/AR firmware versions released prior to August 7, 2017
  • EP-879AB/AW/AR firmware versions released prior to June 12, 2017
  • EP-907F firmware versions released prior to August 1, 2017
  • EP-977A3 firmware versions released prior to August 1, 2017
  • EP-978A3 firmware versions released prior to August 7, 2017
  • EP-979A3 firmware versions released prior to June 12, 2017
  • EP-M570T firmware versions released prior to September 6, 2017
  • EW-M5071FT firmware versions released prior to November 2, 2017
  • EW-M660FT firmware versions released prior to April 19, 2018
  • EW-M770T firmware versions released prior to September 6, 2017
  • PF-70 firmware versions released prior to April 20, 2018
  • PF-71 firmware versions released prior to July 18, 2017
  • PF-81 firmware versions released prior to September 14, 2017
  • PX-048A firmware versions released prior to July 4, 2017
  • PX-049A firmware versions released prior to September 11, 2017
  • PX-437A firmware versions released prior to July 24, 2017
  • PX-M350F firmware versions released prior to February 23, 2018
  • PX-M5040F firmware versions released prior to November 20, 2017
  • PX-M5041F firmware versions released prior to November 20, 2017
  • PX-M650A firmware versions released prior to October 17, 2017
  • PX-M650F firmware versions released prior to October 17, 2017
  • PX-M680F firmware versions released prior to June 29, 2017
  • PX-M7050F firmware versions released prior to October 13, 2017
  • PX-M7050FP firmware versions released prior to October 13, 2017
  • PX-M7050FX firmware versions released prior to November 7, 2017
  • PX-M7070FX firmware versions released prior to April 27, 2017
  • PX-M740F firmware versions released prior to December 4, 2017
  • PX-M741F firmware versions released prior to December 4, 2017
  • PX-M780F firmware versions released prior to June 29, 2017
  • PX-M781F firmware versions released prior to June 27, 2017
  • PX-M840F firmware versions released prior to November 16, 2017
  • PX-M840FX firmware versions released prior to December 8, 2017
  • PX-M860F firmware versions released prior to October 25, 2017
  • PX-S05B/W firmware versions released prior to March 9, 2018
  • PX-S350 firmware versions released prior to February 23, 2018
  • PX-S5040 firmware versions released prior to November 20, 2017
  • PX-S7050 firmware versions released prior to February 21, 2018
  • PX-S7050PS firmware versions released prior to February 21, 2018
  • PX-S7050X firmware versions released prior to November 7, 2017
  • PX-S7070X firmware versions released prior to April 27, 2017
  • PX-S740 firmware versions released prior to December 3, 2017
  • PX-S840 firmware versions released prior to November 16, 2017
  • PX-S840X firmware versions released prior to December 8, 2017
  • PX-S860 firmware versions released prior to December 7, 2017
For details, refer to the information provided by the developer.

Description

Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below.

  • Open Redirect (CWE-601) - CVE-2018-0688
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3
  • HTTP header injection (CWE-113) - CVE-2018-0689
    CVSS v3 CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N Base Score: 4.7
    CVSS v2 AV:N/AC:M/Au:N/C:N/I:P/A:N Base Score: 4.3

Impact

  • The product's web interface may be abused to redirect web browsers to any web site. - CVE-2018-0688
  • The product's web interface may be abused to show fake information or execute arbitrary script on web browsers. - CVE-2018-0689

Solution

Update the Firmware
Apply the firmware update according to the information provided by the developer.

Vendor Status

Vendor Status Last Update Vendor Notes
SEIKO EPSON CORPORATION Vulnerable 2018/12/06 SEIKO EPSON CORPORATION website

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

Credit

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2018-0688
CVE-2018-0689
JVN iPedia JVNDB-2018-000128