[Japanese]

JVNDB-2024-009481

Insecure initial password configuration issue in SEIKO EPSON Web Config

Overview

Web Config is software that allows users to check the status and change the settings of SEIKO EPSON products, e.g., printers and scanners, via a web browser. In the initial setting no administrative password is set, and when a user connects the device and configures Web Config settings for the first time, the user is requested to set the password.
Therefore, when a product is connected to network without the Web Config settings configured, arbitrary password may be set and the device may be operated with an administrative privilege by an attacker (CWE-1188).

George Puckett reported this vulnerability to CERT/CC.
Requested by CERT/CC, JPCERT/CC coordinated with the developer.
CVSS Severity (What is CVSS?)

CVSS V3 Severity:
Base Metrics 8.1 (High) [Other]
  • Attack Vector: Network
  • Attack Complexity: High
  • Privileges Required: None
  • User Interaction: None
  • Scope: Unchanged
  • Confidentiality Impact: High
  • Integrity Impact: High
  • Availability Impact: High
[Comment] The attack scenario assumes the condition that the target device is connected to network with Web Config never configured. AC (Attack Complexity) is evaluated as H (High) according to CVSS 3.0 specification.
Affected Products


SEIKO EPSON CORPORATION
  • Web Config

For the information of the affected devices, please refer to the information (in Japanese) provided by the developer.
Impact

When the product is connected to network without the Web Config settings configured, an arbitrary password may be set and the product may be operated with an administrative privilege by an attacker.
Solution

[Apply the workaround]
Applying the following workaround may mitigate the impact of this vulnerability.
* Set the administrative password
In the section 3 of developer's Security Guidebook,it is strongly recommended to set the administrative password when installing product.

Vendor Information

SEIKO EPSON CORPORATION
CWE (What is CWE?)

  1. Insecure Default Initialization of Resource(CWE-1188) [Other]
CVE (What is CVE?)

  1. CVE-2024-47295
References

  1. JVN : JVNVU#95133448
Revision History

  • [2024/10/01]
      Web page was published