[Japanese]

JVNDB-2022-002780

Command injection vulnerability in SHARP Multifunctional Products (MFP)

Overview

SHARP Multifunctional Products (MFP) contain a command injection vulnerability (CWE-77, CVE-2022-45796).

The OS layer is affected beyond the web application component, however treating the web application component as separate from the OS layer, 'Scope' is analyzed as 'S:C'.

Sharp reported this vulnerability to JPCERT/CC to notify users of its solution through JVN.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 9.1 (Critical) [Other]
  • Attack Vector: Network
  • Attack Complexity: Low
  • Privileges Required: High
  • User Interaction: None
  • Scope: Changed
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
Affected Products


Sharp Corporation
  • (Multiple Products)

A wide range of product models and firmware versions is affected by this vulnerability. For more information, refer to the information provided by the developer.

* Digital Full-color Multifunctional System
* Digital Multifunctional System (Monochrome)
Impact

If this vulnerability is exploited, an arbitrary command may be executed on the affected MFP firmware.

The developer states that the followings are the prerequisites to exploit this vulnerability.

* A remote attacker has access to the affected MFPs via network
* A remote attacker is authenticated with the administrative privileges of the affected MFPs

For more information, refer to the information provided by the developer.
Solution

[Update the firmware]
Apply the appropriate firmware update according to the information provided by the developer.
For the details such as how to update the firmware and/or where to obtain the firmware update, refer to Sharp Corporation - Sharp Global Support page.

[Apply workaround]
Applying the following workarounds may mitigate the impact of this vulnerability.

* Connect MFPs to the internet under the securely protected network such as using a firewall or similar network appliance
* Change the factory-shipped default administrative password, and manage it appropriately

For the details of workarounds, refer to Sharp Corporation - Sharp Global Support page.
Vendor Information

Sharp Corporation
CWE (What is CWE?)

  1. Command Injection(CWE-77) [Other]
CVE (What is CVE?)

  1. CVE-2022-45796
References

  1. JVN : JVNVU#96195138
  2. Related document : SHARP Multifunction Printer - Command Injection
Revision History

  • [2022/12/20]
      Web page was published

Date Public2022/12/15
Date First Published2022/12/20
Date Last Updated2022/12/20