Impact of vulnerabilities CVE-2023-34259, CVE-2023-34260, and CVE-2023-34261 on our products
I. Summary of security vulnerabilities
Product:
Various systems
(see below for a detailed list of affected models)
Publication:
July 5, 2023
Various systems
(see below for a detailed list of affected models)
Publication:
July 5, 2023
Description:
We would like to inform you that a security vulnerability has been identified in the web interface of our printers and multifunction devices, which allows users to view and change various settings of multifunction devices via the network. Below is an overview of the issue and its resolution. As of the date of this publication, we are not aware of any attacks exploiting these vulnerabilities.
Three security risks have been identified:
We would like to inform you that a security vulnerability has been identified in the web interface of our printers and multifunction devices, which allows users to view and change various settings of multifunction devices via the network. Below is an overview of the issue and its resolution. As of the date of this publication, we are not aware of any attacks exploiting these vulnerabilities.
Three security risks have been identified:
- Vulnerability CVE-2023-34259 | Path Traversal: The web interface has a path traversal vulnerability. This is a type of web application attack. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
- Vulnerability CVE-2023-34260 | Denial of Service (DoS): There is a vulnerability that renders the web interface inoperable via a DoS attack. By manipulating the value of the file path, the web interface can be rendered inoperable.
- Vulnerability CVE-2023-34261 | User enumeration: By making multiple login attempts, an attacker can determine whether a login username exists in the database for the device to which the web interface is connected.
II. Solution:
The IT security of our customers is a top priority for TA Triumph-Adler. As a countermeasure, firmware is being made available that controls the paths managed by the web interface. Below is an overview of affected systems, including the release date of the respective firmware update: