Skip to Content Information Center
Lexmark B2236

Lexmark B2236

Lexmark Security Advisory: Cross Site Request Forgery Vulnerability (CVE-2020-10095)

Lexmark Security Advisory:

Revision: 1.0
Last update: 11-June-2020
Public Release Date: 19-June-2020

Summary

Lexmark devices' embedded web server contains a cross site request forgery attack vulnerability that allows devices configuration to be altered without authorization.

References

CVE: CVE-2020-10095

Details

A vulnerability has been identified in the embedded web server used in Lexmark devices. The vulnerability allows the attacker to modify the configuration of the device.

CVSSv3 Base Score6.8(AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:N)
Impact Subscore:5.2
Exploitability Subscore:1.6

CVSSv3 scores are calculated in accordance with CVSS version 3.1 (https://www.first.org/cvss/user-guide)

Impact

Successful exploitation of this vulnerability can lead to the modification of the configuration of the device.

Affected Products

To determine a devices firmware level, select the Settings > Reports > Menu Setting Page menu item from the operator panel.

If the firmware level listed under Device Information matches any level under Affected Releases, then upgrade to a Fixed Release.

Lexmark ModelsAffected ReleasesFixed Releases
B2236MSLSG.072.202 and previousMSLSG.072.203 and later
MS331, MS431MSLBD.072.202 and previousMSLBD.072.203 and later
M1241MSLBD.072.202 and previousMSLBD.072.203 and later
B3442, B3340MSLBD.072.202 and previousMSLBD.072.203 and later
MB2236MXLSG.072.202 and previousMXLSG.072.203 and later
MX431, MX331MXLBD.072.202 and previousMXLBD.072.203 and later
MB3442MXLBD.072.202 and previousMXLBD.072.203 and later
MS521MSNGM.072.202 and previousMSNGM.072.203 and later
MS621, MS622MSTGM.072.202 and previousMSTGM.072.203 and later
M1246, M3250MSTGM.072.202 and previousMSTGM.072.203 and later
B2546, B2650MSTGM.072.202 and previousMSTGM.072.203 and later
MX421, MX521, MX522, MX622MXTGM.072.202 and previousMXTGM.072.203 and later
XM1242, XM1246, XM3250MXTGM.072.202 and previousMXTGM.072.203 and later
MB2546, MB2650MXTGM.072.202 and previousMXTGM.072.203 and later
MX321MXNGM.072.202 and previousMXNGM.072.203 and later
MB2338MXNGM.072.202 and previousMXNGM.072.203 and later
MS725, MS821MSNGW.072.202 and previousMSNGW.072.203 and later
MS822, MS823, MS825, MS826MSTGW.072.202 and previousMSTGW.072.203 and later
M5255, M5270MSTGW.072.202 and previousMSTGW.072.203 and later
B2865MSTGW.072.202 and previousMSTGW.072.203 and later
MX721, MX722, MX822, MX826MXTGW.072.202 and previousMXTGW.072.203 and later
XM5365, XM7355, XM7370MXTGW.072.202 and previousMXTGW.072.203 and later
C3426CSLBN.072.202 and previousCSLBN.072.203 and later
CS431CSLBN.072.202 and previousCSLBN.072.203 and later
CS331CSLBL.072.202 and previousCSLBL.072.203 and later
C3224CSLBL.072.202 and previousCSLBL.072.203 and later
C3326CSLBL.072.202 and previousCSLBL.072.203 and later
MC3426CXLBN.072.202 and previousCXLBN.072.203 and later
CX431CXLBN.072.202 and previousCXLBN.072.203 and later
MC3326, MC3224CXLBL.072.202 and previousCXLBL.072.203 and later
CX331CXLBL.072.202 and previousCXLBL.072.203 and later
CS622CSTZJ.072.202 and previousCSTZJ.072.203 and later
C2240CSTZJ.072.202 and previousCSTZJ.072.203 and later
CS421, CS521CSNZJ.072.202 and previousCSNZJ.072.203 and later
C2535, C2325, C2425CSNZJ.072.202 and previousCSNZJ.072.203 and later
CX522, CX622, CX625CXTZJ.072.202 and previousCXTZJ.072.203 and later
XC2235, XC4240CXTZJ.072.202 and previousCXTZJ.072.203 and later
MC2535, MC2640CXTZJ.072.202 and previousCXTZJ.072.203 and later
CX421CXNZJ.072.202 and previousCXNZJ.072.203 and later
MC2325, MC2425CXNZJ.072.202 and previousCXNZJ.072.203 and later
CX820, CX825, CX860CXTPP.072.202 and previousCXTPP.072.203 and later
XC6152, XC8155, XC8160CXTPP.072.202 and previousCXTPP.072.203 and later
CS820CSTPP.072.202 and previousCSTPP.072.203 and later
C6160CSTPP.072.202 and previousCSTPP.072.203 and later
CS720, CS725CSTAT.072.202 and previousCSTAT.072.203 and later
C4150CSTAT.072.202 and previousCSTAT.072.203 and later
CX725CXTAT.072.202 and previousCXTAT.072.203 and later
XC4140, XC4150CXTAT.072.202 and previousCXTAT.072.203 and later
CS921, CS923CSTMH.072.202 and previousCSTMH.072.203 and later
CX921, CX922, CX923, CX924CXTMH.072.202 and previousCXTMH.072.203 and later
XC92xxCXTMH.072.202 and previousCXTMH.072.203 and later

Obtained Updated Software

To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com to find your local support center.

Workarounds

Lexmark recommends a firmware update if your device has affected firmware.

Exploitation and Public Announcements

Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

RevisionDateReason
1.019 - June- 2020Initial Public Release

Top

LEGACY ID: TE939

Consideraţi acest articol util?
Top