JVNVU#95133448
Insecure initial password configuration issue in SEIKO EPSON Web Config
Overview
In multiple SEIKO EPSON products, when the product is connected to network without the Web Config settings configured, an arbitrary password may be set, and the product may be operated with an administrative privilege by an attacker.
Products Affected
- Web Config
Description
Web Config is software that allows users to check the status and change the settings of SEIKO EPSON products, e.g., printers and scanners, via a web browser. In the initial setting no administrative password is set, and when a user connects the device and configures Web Config settings for the first time, the user is requested to set the password.
Therefore, when a product is connected to network without the Web Config settings configured, arbitrary password may be set and the device may be operated with an administrative privilege by an attacker (CWE-1188).
Impact
When the product is connected to network without the Web Config settings configured, an arbitrary password may be set and the product may be operated with an administrative privilege by an attacker.
Solution
Apply the workaround
Applying the following workaround may mitigate the impact of this vulnerability.
- Set the administrative password
Vendor Status
Vendor | Link |
SEIKO EPSON CORPORATION | Vulnerability in Web Config in Printers, Scanners and Network Interface Products |
Security Guidebook |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
---|---|---|---|---|
Attack Complexity(AC) | High (H) | Low (L) | ||
Privileges Required(PR) | High (H) | Low (L) | None (N) | |
User Interaction(UI) | Required (R) | None (N) | ||
Scope(S) | Unchanged (U) | Changed (C) | ||
Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
Integrity Impact(I) | None (N) | Low (L) | High (H) | |
Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
The attack scenario assumes the condition that the target device is connected to network with Web Config never configured. AC (Attack Complexity) is evaluated as H (High) according to CVSS 3.0 specification.
Credit
George Puckett reported this vulnerability to CERT/CC.
Requested by CERT/CC, JPCERT/CC coordinated with the developer.
Other Information
JPCERT Alert |
|
JPCERT Reports |
|
CERT Advisory |
|
CPNI Advisory |
|
TRnotes |
|
CVE |
CVE-2024-47295 |
JVN iPedia |
|