Published:2022/12/15  Last Updated:2022/12/16

JVNVU#96195138
Command injection vulnerability in SHARP Multifunctional Products (MFP)

Overview

SHARP Multifunctional Products (MFP) contain a command injection vulnerability.

Products Affected

A wide range of product models and firmware versions is affected by this vulnerability.

For more information, refer to the information provided by the developer.

  • Digital Full-color Multifunctional System
  • Digital Multifunctional System (Monochrome)

Description

SHARP Multifunctional Products (MFP) contain a command injection vulnerability (CWE-77, CVE-2022-45796).

Impact

If this vulnerability is exploited, an arbitrary command may be executed on the affected MFP firmware.

The developer states that the followings are the prerequisites to exploit this vulnerability.

  • A remote attacker has access to the affected MFPs via network
  • A remote attacker is authenticated with the administrative privileges of the affected MFPs
For more information, refer to the information provided by the developer.

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the developer.
For the details such as how to update the firmware and/or where to obtain the firmware update, refer to Sharp Corporation - Sharp Global Support page.

Apply workaround
Applying the following workarounds may mitigate the impact of this vulnerability.

  • Connect MFPs to the internet under the securely protected network such as using a firewall or similar network appliance
  • Change the factory-shipped default administrative password, and manage it appropriately
For the details of workarounds, refer to Sharp Corporation - Sharp Global Support page.

Vendor Status

Vendor Link
SHARP CORPORATION About Command Injection Security Vulnerability in SHARP Multifunctional Products (MFP)

References

  1. ZUSO ART Advisory
    SHARP Multifunction Printer - Command Injection

JPCERT/CC Addendum

Vulnerability Analysis by JPCERT/CC

CVSS v3 CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Base Score: 9.1
Attack Vector(AV) Physical (P) Local (L) Adjacent (A) Network (N)
Attack Complexity(AC) High (H) Low (L)
Privileges Required(PR) High (H) Low (L) None (N)
User Interaction(UI) Required (R) None (N)
Scope(S) Unchanged (U) Changed (C)
Confidentiality Impact(C) None (N) Low (L) High (H)
Integrity Impact(I) None (N) Low (L) High (H)
Availability Impact(A) None (N) Low (L) High (H)

Comment

The OS layer is affected beyond the web application component, however treating the web application component as separate from the OS layer, 'Scope' is analyzed as 'S:C'.

Credit

Sharp reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.

Other Information

JPCERT Alert
JPCERT Reports
CERT Advisory
CPNI Advisory
TRnotes
CVE
JVN iPedia

Update History

2022/12/16
ZUSO ART advisory link was added under [References] section