[Japanese]

JVNDB-2021-000026

Fuji Xerox multifunction devices and printers vulnerable to denial-of-service (DoS)

Overview

Multifunction devices and printers provided by Fuji Xerox Co.,Ltd. contain a denial-of-service (DoS) vulnerability.

Masahiro Kawada of Ierae Security Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Attack Vector: Adjacent Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Low
CVSS V2 Severity:
Base Metrics 3.3 (Low) [IPA Score]
  • Access Vector: Adjacent Network
  • Access Complexity: Low
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: None
  • Availability Impact: Partial
Affected Products


FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
  • (multiple product)

A wide range of the products is affected. For more information, refer to the information provided by the developer.
Impact

An attacker may cause the products to be terminated by sending a specially crafted command.
In order to restart the products, the physical power button on the devices must be operated.
Solution

[Update the Firmware]

  • Multifunction devices
    • Update to the latest version according to the information provided by the developer. The updated firmware is to be downloaded through the network using the remote maintenance service or to be applied by customer service engineers. For more information, contact the developer.

  • Printers
    • Update to the latest version according to the information provided by the developer.

According to the developer, the fixed firmware for the each affected products will be released gradually in groups. Contact the developer for the release dates.

[Apply Workarounds]
Apply the following workarounds to mitigate the impact of this vulnerability:
  • Locate the product in a secure network such as a network protected by firewalls.
  • Permit access from trusted IP addresses when accessing Internet.
  • Use secure methods, such as Virtual Private Networks (VPNs) when a remote access is necessary.
Vendor Information

FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.)
CWE (What is CWE?)

  1. No Mapping(CWE-Other) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2021-20679
References

  1. JVN : JVN#37607293
  2. National Vulnerability Database (NVD) : CVE-2021-20679
Revision History

  • [2021/03/19]
      Web page was published
  • [2021/04/12]
      Affected Products : The hyperlink URL was updated
      Vendor Information : The hyperlink URL was updated

Date Public2021/03/19
Date First Published2021/03/19
Date Last Updated2021/04/12