Technical Advisory: Multiple Vulnerabilities in Kyocera Printers
Multiple vulnerabilities, ranging from information disclosure to remote code execution, were found in several Kyocera printers.
The vulnerability list below was found affecting to several Kyocera printers:
- Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206)
- Multiple Buffer Overflows in IPP Service (CVE-2019-13204)
- Buffer Overflow in LPD Service (CVE-2019-13201)
- Path Traversal (CVE-2019-13195)
- Broken Access Controls (CVE-2019-13205)
- Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13198, CVE-2019-13200)
- Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13199)
Technical Advisories:
Multiple Buffer Overflows in Web Server (CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13196, CVE-2019-13197, CVE-2019-13202, CVE-2019-13203, CVE-2019-13206 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Kyocera printers were affected by several buffer overflow vulnerabilities in the web application that would allow an attacker to perform a Denial of Service attack, and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device and potentially execute arbitrary code on the device.
Details
Specially crafted requests to the web server will cause a vulnerable device to crash. Buffer overflows and an integer overflow have been identified in different arguments of the web application. Exploitation of this issue allows to perform a Denial of Service and may lead to execute arbitrary code on the device.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13196
https://nvd.nist.gov/vuln/detail/CVE-2019-13196
CVE-2019-13197
https://nvd.nist.gov/vuln/detail/CVE-2019-13197
CVE-2019-13202
https://nvd.nist.gov/vuln/detail/CVE-2019-13202
CVE-2019-13203
https://nvd.nist.gov/vuln/detail/CVE-2019-13203
CVE-2019-13206
https://nvd.nist.gov/vuln/detail/CVE-2019-13206
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Multiple Buffer Overflows in IPP Service (CVE-2019-13204)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13204 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Kyocera printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in the IPP service of Kyocera devices that allow an attacker to crash the device and potentially execute arbitrary code.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13204
https://nvd.nist.gov/vuln/detail/CVE-2019-13204
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Buffer Overflow in LPD Service (CVE-2019-13201)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13201 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some Kyocera printers were affected by a buffer overflow vulnerability in the LPD service. This would allow an unauthenticated attacker to cause a Denial of Service (DoS) in the LPD service and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests to the LPD service with big control files will cause the LPD service to crash, and potentially would allow to execute remote code on the affected device.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13201
https://nvd.nist.gov/vuln/detail/CVE-2019-13201
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Path Traversal (CVE-2019-13195)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13195 Risk: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Summary
The web application of some Kyocera printers was vulnerable to path traversal, allowing an unauthenticated user to retrieve arbitrary files under certain conditions, and also allowed to check if files or folders existed within the file system.
It was only possible to obtain files from the system that had a whitelisted extension, therefore, it was not possible to obtain typical files such as /etc/passwd.
Impact
Successful exploitation of this vulnerability can lead to access arbitrary files from the operating system.
Details
It was only possible to obtain files from the system that had a whitelisted extension, therefore, it was not possible to obtain typical files such as /etc/passwd.
Some extensions that seemed to be accepted were the following:
- .htm
- .js
- .css
- .ico
- .sh
- .png
- .gif
CVSSv3 Base Score: 7.5 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13195
https://nvd.nist.gov/vuln/detail/CVE-2019-13195
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Broken Access Controls (CVE-2019-13205)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13205 Risk: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Summary
All configuration parameters of the Kyocera printer were accessible by unauthenticated users. This information was only presented in the menus when authenticated, and the pages that loaded this information were also protected. However, all files that contained the configuration parameters were accessible.
Impact
These files contained sensitive information, such as users, community strings and other passwords configured in the printer.
Details
All the model files accessible through the web application, which contained all the configured parameters of the printer, were accessible without authentication. This included credentials that may affect other systems as well, as community strings.
CVSSv3 Base Score: 8.6 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:N/A:N)
Impact Subscore: 4.0
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13205
https://nvd.nist.gov/vuln/detail/CVE-2019-13205
Devices Affected
The table below shows the devices and firmware versions affected:
KYOCERA MODELS AFFECTED RELEASES FIXED RELEASES
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-13198, CVE-2019-13200)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13198, CVE-2019-13200 Risk: CVE-2019-13198: 7.6 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L) CVE-2019-13200: 7.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
Summary
Multiple Cross-Site Scripting vulnerabilities, including Stored Cross-Site Scripting issues, were found in the Kyocera Web Application.
Impact
Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
Details
The web application was vulnerable to Cross-Site Scripting attacks, both stored and reflected. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.
CVE-2019-13198:
CVSSv3 Base Score: 6.7 (CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:U/C:H/I:H/A:L)
Impact Subscore: 5.5
Exploitability Subscore: 1.2
CVE-2019-13200:
CVSSv3 Base Score: 7.1 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:L)
Impact Subscore: 5.5
Exploitability Subscore: 1.6
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13198
https://nvd.nist.gov/vuln/detail/CVE-2019-13198
CVE-2019-13200
https://nvd.nist.gov/vuln/detail/CVE-2019-13200
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
Lack of Cross-Site Request Forgery Countermeasures (CVE-2019-13199)
Vendor: Kyocera Vendor URL: https://www.kyoceradocumentsolutions.com/ Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-13199 Risk: 6.5 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Summary
Some Kyocera printers did not implement any mechanism to avoid cross-site request forgery attacks.
Impact
Successful exploitation of this vulnerability can lead to the takeover of a local account on the device.
Details
Some Kyocera printers did not implement any mechanism to avoid cross-site request forgery attacks. This can lead to allow a local account password to be changed without the knowledge of the authenticated user.
CVSSv3 Base Score: 6.5 (AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N)
Impact Subscore: 3.6
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and August: Permanent email contact between NCC Group and Kyocera in order to follow up the process. 2019-08-08: NCC Group Advisory released
References
CVE-2019-13199
https://nvd.nist.gov/vuln/detail/CVE-2019-13199
Devices Affected
The table below shows the devices and firmware versions affected:
| Kyocera Models | Affected Releases | Fixed Releases |
| ECOSYS M5526CDW | 2R7_2000.001.701 | 2R7_2000.002.301 |
*Reference: https://www.kyoceradocumentsolutions.eu/en/about-us/contact-us/press/vulnerabilities-ecosys-m5526cdw.html
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.
Published date: 08/08/2019
Written by:
• Daniel Romero – daniel.romero[at]nccgroup[dot]com
• Mario Rivas – mario.rivas[at]nccgroup[dot]com