Lexmark Security Advisory:Revision: 1.0Last Update: 22 April 2013Public Release Date: 22 April 2013
SummaryUnauthorized access vulnerabilityMarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to access and modify configuration data and fleet management information, in addition to executing commands within the application.
ReferencesCVE: CVE-2013-3055
Affected ProductsMarkVision Enterprise; for specific details see “Software Versions & Fixes”.
DetailsMarkVision Enterprise is a tool that gives IT professionals the ability to track and monitor thousands of print devices.In some versions of MarkVision Enterprise a diagnostic port is active listening on TCP port 9789. This port provides unauthenticated access to application data and the ability to execute code within the application framework.
ImpactSuccessful exploitation of this vulnerability can lead to the disclosure of user and device data stored in the MarkVision Enterprise database, and the ability to execute code within the MarkVision platform.
Vulnerability Scoring DetailsCVSS Base Score 9.3
Exploitability | | | Impact | |
Access Vector: | Network | | Confidentiality: | Complete |
Access Complexity: | Medium | | Integrity: | Complete |
Authentication: | None | | Availability: | Complete |
CVSS scores are calculated in accordance with CVSS version 2.0.WorkaroundsBlock access to port 9789 on the computer which hosts the MarkVision Enterprise server. Please contact the Lexmark Technical Support Center at 1-800-539-6275 for additional information.
Software Versions and FixesThe vulnerability described in this advisory has been fixed in MarkVision Enterprise v1.8 and all future releases.
Obtaining Updated SoftwareTo obtain MarkVision Enterprise v1.8, please navigate to http://www.lexmark.com/markvision.
Exploitation and Public AnnouncementsLexmark is not aware of any malicious use of the vulnerability described in this advisory. Information about this vulnerability has not been published by others previous to this advisory.
Status of this NoticeThis document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.
DistributionThis advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location.
Revision HistoryRevision | Date | Reason |
1.0 | 4/22/13 | Initial Publication |
| | |
Revision Date Reason1.0 4/22/13 Initial Publication
LEGACY ID: TE530