Published:2024/09/30  Last Updated:2024/11/11

JVNVU#95133448
Insecure initial password configuration issue in SEIKO EPSON Web Config

Overview

In multiple SEIKO EPSON products, when the product is connected to network without the Web Config settings configured, an arbitrary password may be set, and the product may be operated with an administrative privilege by an attacker.

Products Affected

  • Web Config
For the information of the affected devices, please refer to the information provided by the developer.

Description

Web Config is software that allows users to check the status and change the settings of SEIKO EPSON products, e.g., printers and scanners, via a web browser. In the initial setting no administrative password is set, and when a user connects the device and configures Web Config settings for the first time, the user is requested to set the password.
Therefore, when a product is connected to network without the Web Config settings configured, arbitrary password may be set and the device may be operated with an administrative privilege by an attacker (CWE-1188).

Impact

When the product is connected to network without the Web Config settings configured, an arbitrary password may be set and the product may be operated with an administrative privilege by an attacker.

Solution

Apply the workaround
Applying the following workaround may mitigate the impact of this vulnerability.

  • Set the administrative password
In the section 3 of developer's Security Guidebook, it is strongly recommended to set the administrative password when installing product.

Vendor Status

Vendor Link
SEIKO EPSON CORPORATION Insecure Initial Password Configuration in Epson WebConfig Vulnerability
Security Guidebook

References

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Base Score: 8.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

The attack scenario assumes the condition that the target device is connected to network with Web Config never configured. AC (Attack Complexity) is evaluated as H (High) according to CVSS 3.0 specification.

Credit

George Puckett reported this vulnerability to CERT/CC.
Requested by CERT/CC, JPCERT/CC coordinated with the developer.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE CVE-2024-47295
JVN iPedia

Update History

2024/11/11
Information under the section [Vendor Status] was updated