Cross-site request forgery in FUJIFILM printers

Published: 2024-03-06

Risk	Low
Patch available	NO
Number of vulnerabilities	1
CVE-ID	CVE-2024-27974
CWE-ID	CWE-352
Exploitation vector	Network
Public exploit	N/A
Vulnerable software	DocuPrint P455 d Hardware solutions / Office equipment, IP-phones, print servers DocuPrint M455 df Hardware solutions / Office equipment, IP-phones, print servers DocuPrint C2255 Hardware solutions / Office equipment, IP-phones, print servers DocuCentre-IV C2260 Hardware solutions / Office equipment, IP-phones, print servers DocuCentre-IV C2270 Hardware solutions / Office equipment, IP-phones, print servers DocuCentre-IV C3370 Hardware solutions / Office equipment, IP-phones, print servers DocuCentre-IV C4470 Hardware solutions / Office equipment, IP-phones, print servers DocuCentre-IV C5570 Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C2270 Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C3370 Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C4470 Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C5570 Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C2270 R Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C3370 R Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C4470 R Hardware solutions / Office equipment, IP-phones, print servers ApeosPort-IV C5570 R Hardware solutions / Office equipment, IP-phones, print servers ApeosWide 6050/3030 Hardware solutions / Office equipment, IP-phones, print servers DocuWide 6057/3037 Hardware solutions / Office equipment, IP-phones, print servers DocuWide 6055 Hardware solutions / Office equipment, IP-phones, print servers DocuWide 3035 Hardware solutions / Office equipment, IP-phones, print servers
Vendor	FUJIFILM Business Innovation

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Cross-site request forgery

EUVDB-ID: #VU87139

Risk: Low

CVSSv4.0: 1.2 [CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:A/VC:L/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear]

CVE-ID: CVE-2024-27974

CWE-ID: CWE-352 - Cross-Site Request Forgery (CSRF)

Exploit availability: No

Description

The vulnerability allows a remote attacker to perform cross-site request forgery attacks.

The vulnerability exists due to insufficient validation of the HTTP request origin in the CentreWare Internet Services and Internet Services. A remote attacker can trick the victim to visit a specially crafted web page and perform arbitrary actions on behalf of the victim on the vulnerable website.

Mitigation

Cybersecurity Help is currently unaware of any official solution to address this vulnerability.

Vulnerable software versions

DocuPrint P455 d: All versions

DocuPrint M455 df: All versions

DocuPrint C2255: All versions

DocuCentre-IV C2260: All versions

DocuCentre-IV C2270: All versions

DocuCentre-IV C3370: All versions

DocuCentre-IV C4470: All versions

DocuCentre-IV C5570: All versions

ApeosPort-IV C2270: All versions

ApeosPort-IV C3370: All versions

ApeosPort-IV C4470: All versions

ApeosPort-IV C5570: All versions

ApeosPort-IV C2270 R: All versions

ApeosPort-IV C3370 R: All versions

ApeosPort-IV C4470 R: All versions

ApeosPort-IV C5570 R: All versions

ApeosWide 6050/3030: All versions

DocuWide 6057/3037: All versions

DocuWide 6055: All versions

DocuWide 3035: All versions

CPE2.3

External links

https://jvn.jp/en/jp/JVN34328023/index.html
https://www.fujifilm.com/fbglobal/eng/company/news/notice/2024/0306_1_announce.html

Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

How the attacker can exploit this vulnerability?

The attacker would have to send a specially crafted request to the affected device in order to exploit this vulnerability.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.