#VU76478 Improper access control in Canon U.S.A. products


Vulnerability identifier: #VU76478

Vulnerability risk: Low

CVSSv3.1: 2.7 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:L/I:N/A:N/E:U/RL:O/RC:C]

CVE-ID: CVE-2023-0858

CWE-ID: CWE-284

Exploitation vector: Network

Exploit availability: No

Vulnerable software:
imageCLASS MF1127C
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF262DW II
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF264DW II
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF267DW II
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF269DW II
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF269DW VP II
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF272DW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF273DW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF275DW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF641CW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF642CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF644CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF741CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF743CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF745CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS MF746CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS LBP122DW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS LBP1127C
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS LBP622CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS LBP623CDW
Hardware solutions / Office equipment, IP-phones, print servers
imageCLASS LBP664CDW
Hardware solutions / Office equipment, IP-phones, print servers
imagePROGRAF TC-20
Hardware solutions / Office equipment, IP-phones, print servers
imagePROGRAF TC-20M
Hardware solutions / Office equipment, IP-phones, print servers
PIXMA G3270
Hardware solutions / Office equipment, IP-phones, print servers
PIXMA G4270
Hardware solutions / Office equipment, IP-phones, print servers
MAXIFY GX3020
Hardware solutions / Office equipment, IP-phones, print servers
MAXIFY GX4020
Hardware solutions / Office equipment, IP-phones, print servers

Vendor: Canon U.S.A.

Description

The vulnerability allows a remote attacker to gain unauthorized access to otherwise restricted functionality.

The vulnerability exists due to improper access restrictions. A remote attacker can bypass implemented security restrictions and gain unauthorized access to the product.

Mitigation
Install updates from vendor's website.

Vulnerable software versions

imageCLASS MF1127C: All versions

imageCLASS MF262DW II: All versions

imageCLASS MF264DW II: All versions

imageCLASS MF267DW II: All versions

imageCLASS MF269DW II: All versions

imageCLASS MF269DW VP II: All versions

imageCLASS MF272DW: All versions

imageCLASS MF273DW: All versions

imageCLASS MF275DW: All versions

imageCLASS MF641CW: All versions

imageCLASS MF642CDW: All versions

imageCLASS MF644CDW: All versions

imageCLASS MF741CDW: All versions

imageCLASS MF743CDW: All versions

imageCLASS MF745CDW: All versions

imageCLASS MF746CDW: All versions

imageCLASS LBP122DW: All versions

imageCLASS LBP1127C: All versions

imageCLASS LBP622CDW: All versions

imageCLASS LBP623CDW: All versions

imageCLASS LBP664CDW: All versions

imagePROGRAF TC-20: All versions

imagePROGRAF TC-20M: All versions

PIXMA G3270: All versions

PIXMA G4270: All versions

MAXIFY GX3020: All versions

MAXIFY GX4020: All versions


External links
http://jvn.jp/en/vu/JVNVU94777298/index.html
http://psirt.canon/advisory-information/cp2023-001/
http://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Vulnerabilities-Remediatio...


Q & A

Can this vulnerability be exploited remotely?

Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability.


Latest bulletins with this vulnerability