JVNVU#96482726
FUJIFILM Business Innovation Corp. and Xerox Corporation MFPs export Address Books with insufficient encryption strength
Overview
Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation export Address Books with insufficient encryption strength.
Products Affected
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed below.
Description
Multiple MFPs (multifunction printers) provided by FUJIFILM Business Innovation Corp. and Xerox Corporation provide a facility to export the contents of their Address Book with encrypted form, but the encryption strength is insufficient (CWE-1391).
Impact
With the knowledge of the encryption process and the encryption key, the information such as the server credentials may be obtained from the exported Address Book data.
Solution
Update the firmware
Apply the appropriate firmware update according to the information provided by the respective vendors.
For the details of the updates, refer to the information provided by the respective vendors from [Vendor Status] section.
Vendor Status
| Vendor | Link |
| FUJIFILM Business Innovation Corp. | Notification on the vulnerability in the encryption method used in the Address Book |
| Xerox Corporation | Mini Bulletin XRX23-015 CVE-2023-46327 |
References
JPCERT/CC Addendum
Vulnerability Analysis by JPCERT/CC
| Attack Vector(AV) | Physical (P) | Local (L) | Adjacent (A) | Network (N) |
|---|---|---|---|---|
| Attack Complexity(AC) | High (H) | Low (L) | ||
| Privileges Required(PR) | High (H) | Low (L) | None (N) | |
| User Interaction(UI) | Required (R) | None (N) | ||
| Scope(S) | Unchanged (U) | Changed (C) | ||
| Confidentiality Impact(C) | None (N) | Low (L) | High (H) | |
| Integrity Impact(I) | None (N) | Low (L) | High (H) | |
| Availability Impact(A) | None (N) | Low (L) | High (H) |
Comment
This CVSSv3 Score was assessed based on the assumed attack scenario below.
1) An attacker obtains the exported Address Book data
2) Tamper a file on the sever by obtaining the credentials used for connecting to the sever where the scanned data is saved
Credit
Kunal Thakrar and Ceri Coburn of Pen Test Partners directly reported this vulnerability to FUJIFILM Business Innovation Corp.
FUJIFILM Business Innovation Corp. reported this case to JPCERT/CC to request the coordination with the reporter.
Other Information
| JPCERT Alert |
|
| JPCERT Reports |
|
| CERT Advisory |
|
| CPNI Advisory |
|
| TRnotes |
|
| CVE |
CVE-2023-46327 |
| JVN iPedia |
|