Toshiba Multi-Function Printers Impacted by 40+ Vulnerabilities

   July 1, 2024  Posted in CyberSecurityNews


Several new vulnerabilities have been discovered in Toshiba e-STUDIO Multi-Function Printers (MFPs) that are used by businesses and organizations worldwide.

These vulnerabilities affect 103 different models of Toshiba Multi-Function Printers. 

Vulnerabilities identified include Remote Code execution, XML External Entity Injection (XXE), Privilege Escalation, Authentication credential leak, DOM-based XSS, Insecure Permissions, TOCTOU (Time-Of-Check to Time-Of-Use) conditions, and many others.

"Is Your System Under Attack? Try Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Users!"- Free Demo

Toshiba Multi-Function Printers

According to the reports shared with Cyber Security News, CVE-2024-27171 and CVE-2024-27180 affect the implementation of third-party application systems and also the third-party applications that are installed by default on Toshiba Printers.

A threat actor can exploit Toshiba Multi-function printers using multiple vulnerabilities. The list of Affected Toshiba MFP models is as follows:

2021AC 4528AG 3515AC 5018A 3005AC 3508LP
2521AC 5528A 3615AC 5118A 3505AC 4508LP
2020AC 6528A 4515AC 5516AC 4505AC 5008LP
2520AC 6526AC 4615AC 5616AC 5005AC  
2025NC 6527AC 5015AC 6516AC 2008A  
2525AC 7527AC 5115AC 6616AC 2508A  
3025AC 6529A 2018A 7516AC 3008A  
3525AC 7529A 2518A 7616AC 3008AG  
3525ACG 9029A 2618A 5518A 3508A  
4525AC 330AC 3018A 5618A 3508AG  
4525ACG 400AC 3118A 6518A 4508A  
5525AC 2010AC 3018AG 6618A 4508AG  
5525ACG 2110AC 3518A 7518A 5008A  
6525AC 2510AC 3518AG 7618A 5506AC  
6525ACG 2610AC 3618A 8518A 6506AC  
2528A 2015NC 3618AG 8618A 7506AC  
3028A 2515AC 4518A 2000AC 5508A  
3528A 2615AC 4518AG 2500AC 6508A  
3528AG 3015AC 4618A 2005NC 7508A  
4528A 3115AC 4618AG 2505AC 8508A  

Additionally, it was also mentioned that the physical security of the printers was not analyzed, and the vulnerabilities have been confirmed in different models that run the latest firmware versions, such as 

  • e-STUDIO2010AC
  • e-STUDIO3005AC
  • e-STUDIO3508A
  • e-STUDIO5018A

Further, all these printers run in Linux and are powerful and can be leveraged by a threat actor to move laterally inside infrastructures.

40 vulnerabilities were reported to Toshiba, and necessary security advisories have been published to address these vulnerabilities.

  1. CVE-2024-27141 – Pre-authenticated Blind XML External Entity (XXE) injection – DoS
  2. CVE-2024-27142 – Pre-authenticated XXE injection
  3. CVE-2024-27143 – Pre-authenticated Remote Code Execution as root
  4. CVE-2024-27144 – Pre-authenticated Remote Code Execution as root or apache and multiple Local Privilege Escalations
    4.1. Remote Code Execution – Upload of a new .py module inside WSGI Python programs
    4.2. Remote Code Execution – Upload of a new .ini configuration files inside WSGI Python programs
    4.3. Remote Code Execution – Upload of a malicious script /tmp/backtraceScript.sh and injection of malicious gdb commands
    4.4. Remote Code Execution – Upload of a malicious /home/SYSROM_SRC/build/common/bin/sapphost.py program
    4.5. Remote Code Execution – Upload of malicious libraries
    4.6. Other ways to get Remote Code Execution
  5. CVE-2024-27145 – Multiple Post-authenticated Remote Code Executions as root
  6. CVE-2024-27146 – Lack of privileges separation
  7. CVE-2024-27147 – Local Privilege Escalation and Remote Code Execution using snmpd
  8. CVE-2024-27148 – Local Privilege Escalation and Remote Code Execution using insecure PATH
  9. CVE-2024-27149 – Local Privilege Escalation and Remote Code Execution using insecure LD_PRELOAD
  10. CVE-2024-27150 – Local Privilege Escalation and Remote Code Execution using insecure LD_LIBRARY_PATH
  11. CVE-2024-27151 – Local Privilege Escalation and Remote Code Execution using insecure permissions for 106 programs
    11.1. 3 vulnerable programs not running as root
    11.2. 103 vulnerable programs running as root
  12. CVE-2024-27152 – Local Privilege Escalation and Remote Code Execution using insecure permissions for libraries
    12.1. Example with /home/SYSROM_SRC/bin/syscallerr
  13. CVE-2024-27153 – Local Privilege Escalation and Remote Code Execution using CISSM
  14. CVE-2024-27154 and CVE-2024-27155 – Passwords stored in clear-text logs and insecure logs
    14.1. Clear-text password written in logs when an user logs into the printer
    14.2. Clear-text password written in logs when a password is modified
  15. CVE-2024-27156 – Leak of authentication sessions in insecure logs in /ramdisk/work/log directory
  16. CVE-2024-27157 – Leak of authentication sessions in insecure logs in /ramdisk/al/network/log directory
  17. CVE-2024-27158 – Hardcoded root password
  18. CVE-2024-27159 – Hardcoded password used to encrypt logs
  19. CVE-2024-27160 – Hardcoded password used to encrypt logs and use of a weak digest cipher
  20. CVE-2024-27161 – Hardcoded password used to encrypt files
  21. CVE-2024-27162 – DOM-based XSS present in the /js/TopAccessUtil.js file
  22. CVE-2024-27163 – Leak of admin password and passwords
  23. CVE-2024-27164 – Hardcoded credentials in telnetd
  24. CVE-2024-27165 – Local Privilege Escalation using PROCSUID
  25. CVE-2024-27166 – Insecure permissions for core files
  26. CVE-2024-27167 – Insecure permissions used for Sendmail – Local Privilege Escalation
  27. CVE-2024-27168 – Hardcoded keys found in Python applications used to generate authentication cookies
  28. CVE-2024-27169 – Lack of authentication in WebPanel – Local Privilege Escalation
  29. CVE-2024-27170 – Hardcoded credentials for WebDAV access
  30. CVE-2024-27171 – Insecure permissions
  31. CVE-2024-27172 – Remote Code Execution – command injection as root
  32. CVE-2024-27173 – Remote Code Execution – insecure upload
  33. CVE-2024-27174 – Remote Code Execution – insecure upload
  34. CVE-2024-27175 – Local File Inclusion
  35. CVE-2024-27176 – Remote Code Execution – insecure upload
  36. CVE-2024-27177 – Remote Code Execution – insecure upload
  37. CVE-2024-27178 – Remote Code Execution – insecure copy
  38. CVE-2024-27179 – Session disclosure inside the log files in the installation of applications
  39. CVE-2024-27180 – TOCTOU vulnerability in the installation of applications, allowing to install rogue applications and get RCE

Users of these Toshiba products are recommended to upgrade to the latest version as per Toshiba’s security advisory to prevent these vulnerabilities from getting exploited by threat actors.

Are you from SOC/DFIR Teams? - Sign up for a free ANY.RUN account! to Analyse Advanced Malware Files



Source link