JVNDB-2024-000026

[Japanese]
JVNDB-2024-000026
Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management
Overview
Multiple printers and scanners which implement Web Based Management provided by BROTHER INDUSTRIES, LTD. contain multiple vulnerabilities listed below. * Improper Authentication (CWE-287) - CVE-2024-21824 * Cross-Site Request Forgery (CWE-352) - CVE-2024-22475 Hiroki Yasui, Yudai Morii, Takaya Noma, Takayuki Sasaki, and Katsunari Yoshioka of Yokohama National University reported these vulnerabilities to IPA. JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)
CVSS V3 Severity: Base Metrics 5.3 (Medium) [IPA Score] Attack Vector: Adjacent Network Attack Complexity: High Privileges Required: None User Interaction: None Scope: Unchanged Confidentiality Impact: High Integrity Impact: None Availability Impact: None CVSS V2 Severity: Base Metrics 2.9 (Low) [IPA Score] Access Vector: Adjacent Network Access Complexity: Medium Authentication: None Confidentiality Impact: Partial Integrity Impact: None Availability Impact: None The above CVSS base scores have been assigned for CVE-2024-21824
CVSS V3 Severity: Base Metrics 4.3 (Medium) [IPA Score] Attack Vector: Network Attack Complexity: Low Privileges Required: None User Interaction: Required Scope: Unchanged Confidentiality Impact: None Integrity Impact: Low Availability Impact: None CVSS V2 Severity: Base Metrics 2.6 (Low) [IPA Score] Access Vector: Network Access Complexity: High Authentication: None Confidentiality Impact: None Integrity Impact: Partial Availability Impact: None The above CVSS base scores have been assigned for CVE-2024-22475
Affected Products
Printers and scanners which implement
Brother Industries Web Based Management
As for the details of affected product names, model numbers, and versions, refer to the information provided by the respective vendors listed below. BROTHER INDUSTRIES, LTD. FUJIFILM Business Innovation Corp. Toshiba Tec Corporation RICOH COMPANY, LTD.
Impact
* A network-adjacent user who can access the product may impersonate an administrative user - CVE-2024-21824 * If a user views a malicious page while logged in, unintended operations may be performed - CVE-2024-22475
Solution
[Update the firmware] Apply the appropriate firmware update according to the information provided by the respective vendors. [Apply the workaround] Applying the workarounds may mitigate the impact of CVE-2024-22475 vulnerability. For the details of the updates, refer to the information provided by the respective vendors on [Vendor Status] section.
Vendor Information
Brother Industries BROTHER INDUSTRIES, LTD. : Brother Industries, Ltd. website (in Japanese) Ricoh Co., Ltd RICOH COMPANY, LTD. : Specific Ricoh MFP and Printer Products - Session Management Vulnerability (CVE-2024-21824) TOSHIBA TEC TOSHIBA TEC : Response to vulnerability in the "Web Browser Configuration" function installed in some Toshiba Tec�fs digital multi-function peripherals FUJIFILM Business Innovation Corp. (former Fuji Xerox Co., Ltd.) FUJIFILM Business Innovation Corp. : Notification on the vulnerabilities for Web Based Management embedded in FUJIFLM printers
CWE (What is CWE?)
Improper Authentication(CWE-287) [IPA Evaluation] Cross-Site Request Forgery(CWE-352) [IPA Evaluation]
CVE (What is CVE?)
CVE-2024-21824 CVE-2024-22475
References
JVN : JVN#82749078
Revision History
[2024/03/06] Web page was published


Date Public	2024/03/06
Date First Published	2024/03/06
Date Last Updated	2024/03/06

Multiple vulnerabilities in printers and scanners which implement BROTHER Web Based Management