|
[Japanese]
|
JVNDB-2021-006146
|
Multiple vulnerabilities in KONICA MINOLTA MFPs and printing systems
|
|
Multi-function printers (MFP) and printing systems provided by KONICA MINOLTA, INC. contain multiple vulnerabilities listed below.
* Incorrect authorization (CWE-863) - CVE-2021-20868
* Exposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2021-20869
* Improper handling of exceptional conditions (CWE-755) - CVE-2021-20870
* Exposure of sensitive information to an unauthorized actor (CWE-200) - CVE-2021-20871
* Protection mechanism failure (CWE-693) - CVE-2021-20872
KONICA MINOLTA, INC. reported these vulnerabilities to JPCERT/CC to notify users of the solutions through JVN.
|
|
CVSS V3 Severity:
Base Metrics 6.4 (Medium) [Other]
- Attack Vector: physics
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: High
- Availability Impact: High
The above CVSS base scores have been assigned for CVE-2021-20872
|
CVSS V3 Severity:
Base Metrics:4.2 (Medium) [Other]
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: High
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20868
|
CVSS V3 Severity:
Base Metrics:5.3 (Medium) [Other]
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20869
|
CVSS V3 Severity:
Base Metrics:4.0 (Medium) [Other]
- Attack Vector: Physical
- Attack Complexity: High
- Privileges Required: None
- User Interaction: Required
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20870
|
CVSS V3 Severity:
Base Metrics:5.3 (Medium) [Other]
- Attack Vector: Adjacent
- Attack Complexity: High
- Privileges Required: None
- User Interaction: None
- Scope: Unchanged
- Confidentiality Impact: High
- Integrity Impact: None
- Availability Impact: None
The above CVSS base scores have been assigned for CVE-2021-20871
|
|
|
Konica Minolta Business Solutions Japan Co., Ltd.
|
For more information, refer to the information provided by the developer.
|
|
* If external server authentication is enabled, user credentials may be obtained via a specific SOAP message sent by an administrative user. - CVE-2021-20868
* If LDAP server authentication is enabled, some of user credentials may be obtained via a specific SOAP message. - CVE-2021-20869
* When scanned data transmission is stopped due to the network error, unsent scanned image data may be obtained by ejecting a HDD before the scan job times out. - CVE-2021-20870
* The firmware integrity verification is bypassed, and malicious firmware may be installed. - CVE-2021-20872
|
|
[Update the firmware]
Update the firmware to the latest version according to the information provided by the developer.
The developer states that the firmware update will be applied on remote maintenance or KONICA MINOLTA customer engineer's on-site maintenance.
[Apply workarounds]
Applying the following workarounds may mitigate the impacts of these vulnerabilities.
* Encrypt HDD/SSD
* Change the initial administrative password to some hard-to-guess one
* Use a private IP address and set up a firewall to prevent unauthorized accesses from outside
* Properly configure security functions implemented in the products
* "How to setup Security Settings (Text in Japanese)"
|
|
Konica Minolta Business Solutions Japan Co., Ltd.
|
|
- Information Exposure(CWE-200) [Other]
- Protection Mechanism Failure(CWE-693) [Other]
- Improper Handling of Exceptional Conditions(CWE-755) [Other]
- Incorrect Authorization(CWE-863) [Other]
|
|
- CVE-2021-20868
- CVE-2021-20869
- CVE-2021-20870
- CVE-2021-20871
- CVE-2021-20872
|
|
- JVN : JVNVU#95192472
|
|
- [2021/12/28]
Web page was published
|
