Skip to main content

Impact of vulnerabilities CVE-2023-34259, CVE-2023-34260, and CVE-2023-34261 on our products

I. Summary of the security vulnerabilities

Product:
Various systems
(see below for a detailed list of affected models)

Publication:
05.07.2023
Description:
We would like to inform you that a security vulnerability has been identified in the web interface of our printers and multifunction devices, which allows users to check and change various multifunction device settings via network. Below is an overview of the issue and its resolution. At the time of this publication, we are not aware of any attacks that exploit these vulnerabilities.

Three security risks were identified: 
  1. Vulnerability CVE-2023-34259 | Path Bypass:     The Web Interface has a path bypass vulnerability. This is an attack against web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
  2. Vulnerability CVE-2023-34260 | Denial of Service (DoS): There is a security vulnerability that makes the web interface inoperable through a DoS attack. By manipulating the value of the file path, the web interface can become inoperable.
  3. Vulnerability CVE-2023-34261 | Users enumeration: Through multiple login attempts, an attacker can find out if a login username exists in the database for the device at the one web interface login.

II. Solution description

The IT security of customers is a top priority for Utax. As a countermeasure, firmware is provided that controls the paths managed by the web interface. Below you will find an overview of affected systems incl. release date of the respective firmware update: