[Japanese]

JVNDB-2018-000128

Multiple vulnerabilities in multiple SEIKO EPSON printers and scanners

Overview

Multiple printers and scanners provided by SEIKO EPSON CORPORATION contain multiple vulnerabilities listed below.
* Open Redirect (CWE-601) - CVE-2018-0688
* HTTP header injection (CWE-113) - CVE-2018-0689

Toshitsugu Yoneyama of Mitsui Bussan Secure Directions, Inc. reported this vulnerability to IPA.
JPCERT/CC coordinated with the developer under Information Security Early Warning Partnership.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 4.7 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0688


CVSS V3 Severity:
Base Metrics: 4.7 (Medium) [IPA Score]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: None
  • User Interaction: Required
  • Scope: Changed
  • Confidentiality Impact: None
  • Integrity Impact: Low
  • Availability Impact: None
CVSS V2 Severity:
Base Metrics: 4.3 (Medium) [IPA Score]
  • Access Vector: Network
  • Access Complexity: Medium
  • Authentication: None
  • Confidentiality Impact: None
  • Integrity Impact: Partial
  • Availability Impact: None
The above CVSS base scores have been assigned for CVE-2018-0689
Affected Products


SEIKO EPSON CORPORATION
  • DS-570W firmware versions released prior to March 13, 2018
  • DS-780N firmware versions released prior to March 13, 2018
  • EP-10VA firmware versions released prior to September 4, 2017
  • EP-30VA firmware versions released prior to June 19, 2017
  • EP-707A firmware versions released prior to August 1, 2017
  • EP-708A firmware versions released prior to August 7, 2017
  • EP-709A firmware versions released prior to June 12, 2017
  • EP-777A firmware versions released prior to August 1, 2017
  • EP-807AB/AW/AR firmware versions released prior to August 1, 2017
  • EP-808AB/AW/AR firmware versions released prior to August 7, 2017
  • EP-879AB/AW/AR firmware versions released prior to June 12, 2017
  • EP-907F firmware versions released prior to August 1, 2017
  • EP-977A3 firmware versions released prior to August 1, 2017
  • EP-978A3 firmware versions released prior to August 7, 2017
  • EP-979A3 firmware versions released prior to June 12, 2017
  • EP-M570T firmware versions released prior to September 6, 2017
  • EW-M5071FT firmware versions released prior to November 2, 2017
  • EW-M660FT firmware versions released prior to April 19, 2018
  • EW-M770T firmware versions released prior to September 6, 2017
  • PF-70 firmware versions released prior to April 20, 2018
  • PF-71 firmware versions released prior to July 18, 2017
  • PF-81 firmware versions released prior to September 14, 2017
  • PX-048A firmware versions released prior to July 4, 2017
  • PX-049A firmware versions released prior to September 11, 2017
  • PX-437A firmware versions released prior to July 24, 2017
  • PX-M350F firmware versions released prior to February 23, 2018
  • PX-M5040F firmware versions released prior to November 20, 2017
  • PX-M5041F firmware versions released prior to November 20, 2017
  • PX-M650A firmware versions released prior to October 17, 2017
  • PX-M650F firmware versions released prior to October 17, 2017
  • PX-M680F firmware versions released prior to June 29, 2017
  • PX-M7050F firmware versions released prior to October 13, 2017
  • PX-M7050FP firmware versions released prior to October 13, 2017
  • PX-M7050FX firmware versions released prior to November 7, 2017
  • PX-M7070FX firmware versions released prior to April 27, 2017
  • PX-M740F firmware versions released prior to December 4, 2017
  • PX-M741F firmware versions released prior to December 4, 2017
  • PX-M780F firmware versions released prior to June 29, 2017
  • PX-M781F firmware versions released prior to June 27, 2017
  • PX-M840F firmware versions released prior to November 16, 2017
  • PX-M840FX firmware versions released prior to December 8, 2017
  • PX-M860F firmware versions released prior to October 25, 2017
  • PX-S05B/W firmware versions released prior to March 9, 2018
  • PX-S350 firmware versions released prior to February 23, 2018
  • PX-S5040 firmware versions released prior to November 20, 2017
  • PX-S7050 firmware versions released prior to February 21, 2018
  • PX-S7050PS firmware versions released prior to February 21, 2018
  • PX-S7050X firmware versions released prior to November 7, 2017
  • PX-S7070X firmware versions released prior to April 27, 2017
  • PX-S740 firmware versions released prior to December 3, 2017
  • PX-S840 firmware versions released prior to November 16, 2017
  • PX-S840X firmware versions released prior to December 8, 2017
  • PX-S860 firmware versions released prior to December 7, 2017

For details, refer to the information provided by the developer.
Impact

* The product's web interface may be abused to redirect web browsers to any web site. - CVE-2018-0688
* The product's web interface may be abused to show fake information or execute arbitrary script on web browsers. - CVE-2018-0689
Solution

[Update the Firmware]
Apply the firmware update according to the information provided by the developer.
Vendor Information

SEIKO EPSON CORPORATION
CWE (What is CWE?)

  1. Improper Input Validation(CWE-20) [IPA Evaluation]
CVE (What is CVE?)

  1. CVE-2018-0688
  2. CVE-2018-0689
References

  1. JVN : JVN#89767228
Revision History

  • [2018/12/06]
      Web page was published