JVNVU#97136265
Multiple vulnerabilities in Toshiba Tec and Oki Electric Industry MFPs

Overview

Toshiba Tec and Oki Electric Industry MFPs (multifunction printers) contain multiple vulnerabilities.

Products Affected

As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed below.

• Toshiba Tec Corporation
• Oki Electric Industry Co., Ltd.

Description

MFPs (multifunction printers) provided by Toshiba Tec Corporation and Oki Electric Industry Co., Ltd. contain multiple vulnerabilities listed below.

• Improper Restriction of Recursive Entity References in DTDs ('XML Entity Expansion') (CWE-776) - CVE-2024-27141, CVE-2024-27142
• Execution with Unnecessary Privileges (CWE-250) - CVE-2024-27143, CVE-2024-27146, CVE-2024-27147, CVE-2024-3498
• Incorrect Default Permissions (CWE-276) - CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171
• Path Traversal (CWE-22) - CVE-2024-27144, CVE-2024-27145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-2024-27177, CVE-2024-27178
• Insertion of Sensitive Information into Log File (CWE-532) - CVE-2024-27154, CVE-2024-27156, CVE-2024-27157
• Plaintext Storage of a Password (CWE-256) - CVE-2024-27166
• Debug Messages Revealing Unnecessary Information (CWE-1295) - CVE-2024-27179
• Use of Default Credentials (CWE-1392) - CVE-2024-27158
• Use of Hard-coded Credentials (CWE-798) - CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170
• Use of Hard-coded Password (CWE-259) - CVE-2024-27164
• Cross-site Scripting (CWE-79) - CVE-2024-27162
• Cleartext Transmission of Sensitive Information (CWE-319) - CVE-2024-27163
• Least Privilege Violation (CWE-272) - CVE-2024-27165
• Missing Authentication for Critical Function (CWE-306) - CVE-2024-27169
• OS Command Injection (CWE-78) - CVE-2024-27172
• External Control of File Name or Path (CWE-73) - CVE-2024-27175
• Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367) - CVE-2024-27180
• Authentication Bypass Using an Alternate Path or Channel (CWE-288) - CVE-2024-3496
• Relative Path Traversal (CWE-23) - CVE-2024-3497

Impact

• An attacker who can access the affected products may cause a denial-of-service (DoS) condition - CVE-2024-27141、CVE-2024-27142
• An attacker who can access the affected products may execute arbitrary code - CVE-2024-27143, CVE-2024-27146, CVE-2024-27147, CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171, CVE-2024-27144, CVE-2024-27145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-2024-27177, CVE-2024-27178, CVE-2024-27165, CVE-2024-27172, CVE-2024-3497, CVE-2024-3498
• An attacker who can access the affected products may obtain the information - CVE-2024-27154, CVE-2024-27156, CVE-2024-27157, CVE-2024-27166, CVE-2024-27179, CVE-2024-27158, CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170,  CVE-2024-27164, CVE-2024-27162, CVE-2024-27163, CVE-2024-27175, CVE-2024-3496
• An attacker who can access the affected products may access the administrative interface - CVE-2024-27169
• An attacker who can access the affected products may alter the information - CVE-2024-27180

Solution

Update the firmware
Apply the appropriate firmware update according to the information provided by the respective vendors.

Apply workaround
Applying the following workarounds may mitigate the impacts of these vulnerabilities.

• Use MFPs only in the protected network with firewall, etc.
• Use IP Address Filter function and block access from untrusted hosts
• Restrict physical access to the network which is connected to MFPs