Back

NCC Group Publication Archive

Cyber Security

Hardware & Embedded Systems

Technical advisories

May 28, 2019

12 mins read

Technical Advisory: Multiple Vulnerabilities in Lexmark Printers

Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Lexmark printers.

The vulnerability list below was found affecting to several Lexmark printers:

SNMP Denial of Service Vulnerability (CVE-2019-9931)
Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)
Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-10057)
No Account Lockout Implemented (CVE-2019-10058)

Technical Advisories:

SNMP Denial of Service Vulnerability (CVE-2019-9931)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9931
Risk: 7.5 CVSSv3

Summary

Some Lexmark printers contain a denial of service vulnerability in their SNMP service. This vulnerability can be exploited to crash the device.

Impact

Successful exploitation of this vulnerability can lead to a denial of service on the affected device by causing it to crash.

Details

A specially crafted request to the SNMP service will cause a vulnerable device to crash. If the “General Settings”->Error Recovery” setting is set to “Auto Reboot” (the default) then the device will automatically reboot until the “Max Auto Reboots” limit is reached.

CVSSv3 Base Score: 7.5 (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Impact Subscore: 3.6
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models	Affected Releases	Fixed Releases
CS31x	LW71.VYL.P230 and previous	LW71.VYL.P231 and later
CS41x	LW71.VY2.P230 and previous	LW71.VY2.P231 and later
CS51x	LW71.VY4.P230 and previous	LW71.VY4.P231 and later
CX310	LW71.GM2.P230 and previous	LW71.GM2.P231 and later
CX410 XC2130	LW71.GM4.P230 and previous	LW71.GM4.P231 and later
CX510 XC2132	LW71.GM7.P230 and previous	LW71.GM7.P231 and later
MS310, MS312, MS317	LW71.PRL.P230 and previous	LW71.PRL.P231 and later
MS410, M1140	LW71.PRL.P230 and previous	LW71.PRL.P231 and later
MS315, MS415, MS417	LW71.TL2.P230 and previous	LW71.TL2.P231 and later
MS51x, MS610dn, MS617	LW71.PR2.P230 and previous	LW71.PR2.P231 and later
M1145, M3150dn	LW71.PR2.P230 and previous	LW71.PR2.P231 and later
MS610de, M3150	LW71.PR4.P230 and previous	LW71.PR4.P231 and later
MS71x, M5163dn	LW71.DN2.P230 and previous	LW71.DN2.P231 and later
MS810, MS811, MS812, MS817,MS818	LW71.DN2.P230 and previous	LW71.DN2.P231 and later
MS810de, M5155, M5163	LW71.DN4.P230 and previous	LW71.DN4.P231 and later
MS812de, M5170	LW71.DN7.P230 and previous	LW71.DN7.P231 and later
MS91x	LW71.SA.P230 and previous	LW71.SA.P231 and later
MX31x, XM1135	LW71.SB2.P230 and previous	LW71.SB2.P231 and later
MX410, MX510 MX511	LW71.SB4.P230 and previous	LW71.SB4.P231 and later
XM1140, XM1145	LW71.SB4.P230 and previous	LW71.SB4.P231 and later
MX610 MX611	LW71.SB7.P230 and previous	LW71.SB7.P231 and later
XM3150	LW71.SB7.P230 and previous	LW71.SB7.P231 and later
MX71x, MX81x	LW71.TU.P230 and previous	LW71.TU.P231 and later
XM51xx XM71xx	LW71.TU.P230 and previous	LW71.TU.P231 and later
MX91x XM91x	LW71.MG.P230 and previous	LW71.MG.P231 and later
MX6500e	LW71.JD.P230 and previous	LW71.JD.P231 and later
C746	LHS60.CM2.P697 and previous	LHS60.CM2.P698 and later
C748, CS748	LHS60.CM4.P697 and previous	LHS60.CM4.P698 and later
C792, CS796	LHS60.HC.P697 and previous	LHS60.HC.P698 and later
C925	LHS60.HV.P697 and previous	LHS60.HV.P698 and later
C950	LHS60.TP.P697 and previous	LHS60.TP.P698 and later
X548 XS548	LHS60.VK.P697 and previous	LHS60.VK.P698 and later
X74x XS748	LHS60.NY.P697 and previous	LHS60.NY.P698 and later
X792 XS79x	LHS60.MR.P697 and previous	LHS60.MR.P698 and later
X925 XS925	LHS60.HK.P697 and previous	LHS60.HK.P698 and later
X95x XS95x	LHS60.TQ.P697 and previous	LHS60.TQ.P698 and later
6500e	LHS60.JR.P697 and previous	LHS60.JR.P698 and later
C734	LR.SK.P814 and previous	LR.SK.P815 and later
C736	LR.SKE.P814 and previous	LR.SKE.P815 and later
E46x	LR.LBH.P814 and previous	LR.JBH.P815 and later
T65x	LR.JP.P814 and previous	LR.JP.P815 and later
X46x	LR.BS.P814 and previous	LR.BS.P815 and later
X65x	LR.MN.P814 and previous	LR.MN.P815 and later
X73x	LR.FL.P814 and previous	LR.FL.P815 and later
W850	LP.JB.P814 and previous	LP.JB.P815 and later
X86x	LP.SP.P814 and previous	LP.SP.P815 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9931)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9931 advisory:

http://support.lexmark.com/index?page=content id=TE919 locale=EN userlocale=EN_US

CVE-2019-9931

https://nvd.nist.gov/vuln/detail/CVE-2019-9931

Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9930, CVE-2019-9932, CVE-2019-9933
Risk: 9.8 CVSSv3

Summary

Some Lexmark printers were affected by multiple overflow vulnerabilities that would allow an attacker to execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to remote code execution on the affected device.

Details

Specially crafted requests to the web server will cause a vulnerable device to crash. Two buffer overflows and an integer overflow vulnerability have been identified in the embedded web server of Lexmark devices that allow an attacker to execute arbitrary code on the device.

CVSSv3 Base Score: 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models	Affected Releases	Fixed Releases
CS31x	LW71.VYL.P230 and previous	LW71.VYL.P231 and later
CS41x	LW71.VY2.P230 and previous	LW71.VY2.P231 and later
CS51x	LW71.VY4.P230 and previous	LW71.VY4.P231 and later
CX310	LW71.GM2.P230 and previous	LW71.GM2.P231 and later
CX410 XC2130	LW71.GM4.P230 and previous	LW71.GM4.P231 and later
CX510 XC2132	LW71.GM7.P230 and previous	LW71.GM7.P231 and later
MS310, MS312, MS317	LW71.PRL.P230 and previous	LW71.PRL.P231 and later
MS410, M1140	LW71.PRL.P230 and previous	LW71.PRL.P231 and later
MS315, MS415, MS417	LW71.TL2.P230 and previous	LW71.TL2.P231 and later
MS51x, MS610dn, MS617	LW71.PR2.P230 and previous	LW71.PR2.P231 and later
M1145, M3150dn	LW71.PR2.P230 and previous	LW71.PR2.P231 and later
MS610de, M3150	LW71.PR4.P230 and previous	LW71.PR4.P231 and later
MS71x, M5163dn	LW71.DN2.P230 and previous	LW71.DN2.P231 and later
MS810, MS811, MS812, MS817, MS818	LW71.DN2.P230 and previous	LW71.DN2.P231 and later
MS810de, M5155, M5163	LW71.DN4.P230 and previous	LW71.DN4.P231 and later
MS812de, M5170	LW71.DN7.P230 and previous	LW71.DN7.P231 and later
MS91x	LW71.SA.P230 and previous	LW71.SA.P231 and later
MX31x, XM1135	LW71.SB2.P230 and previous	LW71.SB2.P231 and later
MX410, MX510 MX511	LW71.SB4.P230 and previous	LW71.SB4.P231 and later
XM1140, XM1145	LW71.SB4.P230 and previous	LW71.SB4.P231 and later
MX610 MX611	LW71.SB7.P230 and previous	LW71.SB7.P231 and later
XM3150	LW71.SB7.P230 and previous	LW71.SB7.P231 and later
MX71x, MX81x	LW71.TU.P230 and previous	LW71.TU.P231 and later
XM51xx XM71xx	LW71.TU.P230 and previous	LW71.TU.P231 and later
MX91x XM91x	LW71.MG.P230 and previous	LW71.MG.P231 and later
MX6500e	LW71.JD.P230 and previous	LW71.JD.P231 and later
C746	LHS60.CM2.P705 and previous	LHS60.CM2.P706 and later
C748, CS748	LHS60.CM4.P705 and previous	LHS60.CM4.P706 and later
C792, CS796	LHS60.HC.P705 and previous	LHS60.HC.P706 and later
C925	LHS60.HV.P705 and previous	LHS60.HV.P706 and later
C950	LHS60.TP.P705 and previous	LHS60.TP.P706 and later
X548 XS548	LHS60.VK.P705 and previous	LHS60.VK.P706 and later
X74x XS748	LHS60.NY.P705 and previous	LHS60.NY.P706 and later
X792 XS79x	LHS60.MR.P705 and previous	LHS60.MR.P706 and later
X925 XS925	LHS60.HK.P705 and previous	LHS60.HK.P706 and later
X95x XS95x	LHS60.TQ.P705 and previous	LHS60.TQ.P706 and later
6500e	LHS60.JR.P705 and previous	LHS60.JR.P706 and later
C734	LR.SK.P815 and previous	LR.SK.P816 and later
C736	LR.SKE.P815 and previous	LR.SKE.P816 and later
E46x	LR.LBH.P815 and previous	LR.JBH.P816 and later
T65x	LR.JP.P815 and previous	LR.JP.P816 and later
X46x	LR.BS.P815 and previous	LR.BS.P816 and later
X65x	LR.MN.P815 and previous	LR.MN.P816 and later
X73x	LR.FL.P815 and previous	LR.FL.P816 and later
W850	LP.JB.P815 and previous	LP.JB.P816 and later
X86x	LP.SP.P815 and previous	LP.SP.P816 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9930, CVE-2019-9932, CVE-2019-9933 advisory:

http://support.lexmark.com/index?page=content id=TE920 locale=EN userlocale=EN_US

CVE-2019-9930, CVE-2019-9932, CVE-2019-9933

https://nvd.nist.gov/vuln/detail/CVE-2019-9930
https://nvd.nist.gov/vuln/detail/CVE-2019-9932
https://nvd.nist.gov/vuln/detail/CVE-2019-9933

Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-9934, CVE-2019-9935
Risk: 5.3 CVSSv3

Summary

Some Lexmark printers were affected by different information disclosure vulnerabilities that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.

Details

Some Lexmark printers were found having several operational and configuration functionalities or files, which could be reached by an unauthenticated user.

CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

Lexmark Models	Affected Releases	Fixed Releases
CS31x	LW71.VYL.P229 and previous	LW71.VYL.P230 and later
CS41x	LW71.VY2.P229 and previous	LW71.VY2.P230 and later
CX310	LW71.GM2.P229 and previous	LW71.GM2.P230 and later
MS310, MS312, MS317	LW71.PRL.P229 and previous	LW71.PRL.P230 and later
MS410, M1140	LW71.PRL.P229 and previous	LW71.PRL.P230 and later
MS315, MS415, MS417	LW71.TL2.P229 and previous	LW71.TL2.P230 and later
MX31x, XM1135	LW71.SB2.P229 and previous	LW71.SB2.P230 and later
MS51x, MS610dn, MS617	LW71.PR2.P229 and previous	LW71.PR2.P230 and later
M1145, M3150dn	LW71.PR2.P229 and previous	LW71.PR2.P230 and later
MS71x, M5163dn	LW71.DN2.P229 and previous	LW71.DN2.P230 and later
MS810, MS811, MS812, MS817, MS818	LW71.DN2.P229 and previous	LW71.DN2.P230 and later

Vendor Communication

2019-02-06: Responsible Vulnerability Disclosure process initialized
Between February and May: Permanent email contact between NCC Group and Lexmark in order to follow up the process.
2019-05-20: Lexmark Advisory released (CVE-2019-9934, CVE-2019-9935)
2019-05-29: NCC Group Advisory released

References

Lexmark CVE-2019-9934, CVE-2019-9935 advisory:

http://support.lexmark.com/index?page=content id=TE924 locale=EN userlocale=EN_US

CVE-2019-9934, CVE-2019-9935

https://nvd.nist.gov/vuln/detail/CVE-2019-9934
https://nvd.nist.gov/vuln/detail/CVE-2019-9935

Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)

Vendor: Lexmark
Vendor URL: https://www.lexmark.com/
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
         Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-10059
Risk: 5.3 CVSSv3

Summary

Some Lexmark printers were affected by an information disclosure vulnerability via the Finger service that provided sensitive information to an unauthenticated user.

Impact

Successful exploitation of this vulnerability can lead to the disclosure of information about the device configuration and operation.

Details

The Lexmark printer implemented a finger service that allowed some sent commands to obtain useful debug information, similar to the information that can be obtained from CVE-2019-9934 and CVE-2019-9935 vulnerabilities.

CVSSv3 Base Score: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N)
Impact Subscore: 1.4
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts to follow at Vendor’s request for time to patch.

Devices Affected

The table below shows the devices and firmware versions affected:

div style=”overflow-x: auto;”>

table style=”width: 100%;” border=”1″>

Lexmark Models
Affected Releases
Fixed Releases

CS31x
LW71.VYL.P233 and previous
LW71.VYL.P234 and later

CS41x
LW71.VY2.P233 and previous
LW71.VY2.P234 and later

CS51x
LW71.VY4.P233 and previous
LW71.VY4.P234 and later

CX310
LW71.GM2.P233 and previous
LW71.GM2.P234 and later

CX410 XC2130
LW71.GM4.P233 and previous
LW71.GM4.P234 and later

CX510 XC2132
LW71.GM7.P233 and previous
LW71.GM7.P234 and later

MS310, MS312, MS317
LW71.PRL.P233 and previous
LW71.PRL.P234 and later

MS410, M1140
LW71.PRL.P233 and previous
LW71.PRL.P234 and later

MS315, MS415, MS417
LW71.TL2.P233 and previous
LW71.TL2.P234 and later

MS51x, MS610dn, MS617
LW71.PR2.P233 and previous
LW71.PR2.P234 and later

M1145, M3150dn
LW71.PR2.P233 and previous
LW71.PR2.P234 and later

MS610de, M3150
LW71.PR4.P233 and previous
LW71.PR4.P234 and later

MS71x, M5163dn
LW71.DN2.P233 and previous
LW71.DN2.P234 and later

MS810, MS811, MS812, MS817, MS818
LW71.DN2.P233 and previous
LW71.DN2.P234 and later

MS810de, M5155, M5163
LW71.DN4.P233 and previous
LW71.DN4.P234 and later

MS812de, M5170
LW71.DN7.P233 and previous
LW71.DN7.P234 and later

MS91x
LW71.SA.P233 and previous
LW71.SA.P234 and later

MX31x, XM1135
LW71.SB2.P233 and previous
LW71.SB2.P234 and later

MX410, MX510 MX511
LW71.SB4.P233 and previous
LW71.SB4.P234 and later

XM1140, XM1145
LW71.SB4.P233 and previous
LW71.SB4.P234 and later

MX610 MX611
LW71.SB7.P233 and previous
LW71.SB7.P234 and later

XM3150
LW71.SB7.P233 and previous
LW71.SB7.P234 and later

MX71x, MX81x
LW71.TU.P233 and previous
LW71.TU.P234 and later

XM51xx XM71xx
LW71.TU.P233 and previous
LW71.TU.P234 and later

MX91x XM91x
LW71.MG.P233 and previous
LW71.MG.P234 and later

MX6500e
LW71.JD.P233 and previous
LW71.JD.P234 and later

C746
LHS60.CM2.P705 and previous
LHS60.CM2.P706 and later

C748, CS748
LHS60.CM4.P705 and previous
LHS60.CM4.P706 and later

C792, CS796
LHS60.HC.P705 and previous
LHS60.HC.P706 and later

C925
LHS60.HV.P705 and previous
LHS60.HV.P706 and later

C950
LHS60.TP.P705 and previous
LHS60.TP.P706 and later

X548 XS548
LHS60.VK.P705 and previous
LHS60.VK.P706 and later

X74x XS748
LHS60.NY.P705 and previous
LHS60.NY.P706 and later

X792 XS79x
LHS60.MR.P705 and previous
LHS60.MR.P706 and later

X925 XS925
LHS60.HK.P705 and previous
LHS60.HK.P706 and later

X95x XS95x
LHS60.TQ.P705 and previous
LHS60.TQ.P706 and later

6500e
LHS60.JR.P705 and previous
LHS60.JR.P706 and later

C734
LR.SK.P815 and previous
LR.SK.P816 and later

C736
LR.SKE.P815 and previous
LR.SKE.P816 and later

E46x
LR.LBH.P815 and previous
LR.JBH.P816 and later

T65x
LR.JP.P815 and previous
LR.JP.P816 and later

X46x
LR.BS.P815 and previous
LR.BS.P816 and later

X65x
LR.MN.P815 and previous
LR.MN.P816 and later

X73x <td class=”x

Published by NCC Group Publication Archive

View all posts by NCC Group Publication Archive ->

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Introduction In late 2023 and early 2024, the NCC Group Hardware and Embedded Systems practice undertook an engagement to reverse engineer baseband firmware on several smartphones. This included MediaTek 5G baseband firmware based on the nanoMIPS architecture. While we were aware of some nanoMIPS modules for Ghidra having been developed…

Hardware & Embedded Systems

Reverse Engineering

Tool Release

May 7, 2024

6 mins read

Sifting through the spines: identifying (potential) Cactus ransomware victims

Authored by Willem Zeeman and Yun Zheng Hu This blog is part of a series written by various Dutch cyber security firms that have collaborated on the Cactus ransomware group, which exploits Qlik Sense servers for initial access. To view all of them please check the central blog by Dutch…

Digital Forensics and Incident Response (DFIR)

Fox-IT and European Research

Vulnerability Research

April 25, 2024

7 mins read

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

During the spring of 2024, Google engaged NCC Group to conduct a design review of Confidential Mode for Hyperdisk (CHD) architecture in order to analyze how the Data Encryption Key (DEK) that encrypts data-at-rest is protected. The project was 10 person days and the goal is to validate that the…

Public Reports

April 12, 2024

1 min read

View articles by category

Most recent posts

Call us before you need us.

Our experts will help you.

Get in touch

Technical Advisory: Multiple Vulnerabilities in Lexmark Printers

Technical Advisories:

SNMP Denial of Service Vulnerability (CVE-2019-9931)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)

Summary

Impact

Details

Proof of Concept

Devices Affected

Like this:

View articles by category

Most popular posts

Most recent posts

Call us before you need us.

Technical Advisory: Multiple Vulnerabilities in Lexmark Printers

Technical Advisories:

SNMP Denial of Service Vulnerability (CVE-2019-9931)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Multiple Overflows in Lexmark Web Server (CVE-2019-9930, CVE-2019-9932, CVE-2019-9933)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Information Disclosure Vulnerabilities (CVE-2019-9934, CVE-2019-9935)

Summary

Impact

Details

Proof of Concept

Devices Affected

Vendor Communication

References

Information Disclosure Vulnerability via Finger Service (CVE-2019-10059)

Summary

Impact

Details

Proof of Concept

Devices Affected

Share this:

Like this:

Here are some related articles you may find interesting

Ghidra nanoMIPS ISA module

Sifting through the spines: identifying (potential) Cactus ransomware victims

Public Report – Confidential Mode for Hyperdisk – DEK Protection Analysis

View articles by category

Most popular posts

Most recent posts

Call us before you need us.