Skip to Content Information Center
Lexmark MX718

Lexmark MX718

Multiple OpenSSL Vulnerabilities

Lexmark Security Advisory:

Revision: 1.1 Last update: 21 July 2014 Public Release Date: 28 July 2014

Summary

Multiple OpenSSL vulnerabilities

Recently announced vulnerabilities in OpenSSL allow for possible attacks against the SSL & TLS protocols. These vulnerabilities affect multiple Lexmark products.

This advisory will be updated as additional information becomes available.

References

CVE:

  • CVE-2014-0224 SSL/TLS MITM vulnerability
  • CVE-2014-0221 DTLS recursion flaw
  • CVE-2014-0195 DLTS invalid fragment vulnerability
  • CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference
  • CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection of denial of service
  • CVE-2014-3470 ECDH denial of service
  • CVE-2014-0076 ECDSA NONCE side channel attack

Details

On June 5, 2014 the OpenSSL Project released a security advisory detailing multiple vulnerabilities. These vulnerabilities include:

CVE-2014-0224 SSL/TLS MITM vulnerability

A remote attacker with the ability to intercept and inject traffic between a vulnerable client and server could successfully force the SSL/TLS protocols to use a known session key, thus rendering the content of those communications vulnerable to interception and modification.

CVSS Base Score: 6.8 (AV:N/AC:M/AU:N/C:P/I:P/A:P) Impact Subscore: 6.4 Exploitability Subscore: 8.6

CVE-2014-0221 DTLS recursion flaw

Sending an invalid DTLS handshake can cause a crash leading to a denial of service attack.


NOTE:
No Lexmark products support the DTLS protocol; therefore no Lexmark products are vulnerable to this issue.

CVE-2014-0195 DLTS invalid fragment vulnerability

A buffer overrun can be triggered by sending an invalid DTLS fragment.


NOTE:
No Lexmark products support the DTLS protocol; therefore no Lexmark products are vulnerable to this issue.

CVE-2014-0198 SSL_MODE_RELEASE_BUFFERS NULL pointer dereference

A remote attacker could send a specially crafted packet that would trigger a crash leading to a denial of service attack.

CVSS Base Score: 4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P) Impact Subscore: 2.9 Exploitability Subscore: 8.6

CVE-2010-5298 SSL_MODE_RELEASE_BUFFERS session injection of denial of service

A remote attacker could send a specially crafted packet that would trigger a crash leading to a denial of service attack.

CVSS Base Score: 4.0 (AV:N/AC:H/AU:N/C:N/I:P/A:P) Impact Subscore: 4.9 Exploitability Subscore: 4.9

CVE-2014-3470 ECDH denial of service

A remote attacker could trigger a crash leading to a denial of service attack.

CVSS Base Score: 4.3 (AV:N/AC:M/AU:N/C:N/I:N/A:P) Impact Subscore: 2.9 Exploitability Subscore: 8.6

CVE-2014-0076 ECDSA NONCE side channel attack

ECDSA nonce is vulnerable to a timing based side channel attack.

CVSS Base Score: 4.3 (AV:N/AC:M/AU:N/C:PI:N/A:N) Impact Subscore: 2.9 Exploitability Subscore: 8.6

CVSS scores are calculated in accordance with CVSS version 2.0 (http://www.first.org/cvss/cvss-guide.html).

Impact

The impact of this vulnerability varies depending on the affected product.

Unaffected Products

The following products have been investigated and are not affected by this vulnerability:

  • MarkVision Enterprise

Affected Products

The following products are known to be affected, for specific details see “Product Specific Information” below.

  • Lexmark printer products
  • Perceptive Content: ImageNow
  • Perceptive Search
  • Perceptive Process
  • Lexmark Document Distributor
  • Lexmark Print Management, On-Premise
  • Lexmark Fleet Manager
  • Cloud Configuration Services

Product Specific Information

Lexmark is individually assessing each product and will update this advisory as more information becomes available.

Laser printer products

The following printers and MFPs are affected:

To determine the level of firmware a device is running, from the control panel select Menu > Reports > Menu Settings Page. If the firmware is listed under “Affected Releases”, update to a “Fixed Release”.

Lexmark Models
Affected Releases
Fixed Releases
2012 Models
CS310LW40.VYL.P449 and previousLW40.VYL.P450 and later
CS410LW40.VY2.P449 and previousLW40.VY2.P450 and later
CS510LW40.VY4.P449 and previousLW40.VY4.P450 and later
CX310LW40.GM2.P449 and previousLW40.GM2.P450 and later
CX410LW40.GM4.P449 and previousLW40.GM4.P450 and later
CX510 & XC2132LW40.GM7.P449 and previousLW40.GM7.P450 and later
MS310 & MS410LW40.PRL.P449 and previousLW40.PRL.P450 and later
MS510, MS610dn, MS610dtn, M1145 & M3150dnLW40.PR2.P449 and previousLW40.PR2.P450 and later
MS610de, MS610dte & M3150LW40.PR4.P449 and previousLW40.PR4.P450 and later
MS71x, MS810n, MS810dn, MS810dtn, MS811, MS812dn, MS812dtn & M5163dnLW40.DN2.P449 and previousLW40.DN2.P450 and later
MS810de, M5155 & M5163LW40.DN4.P449 and previousLW40.DN4.P450 and later
MS812de & M5170LW40.DN7.P449 and previousLW40.DN7.P450 and later
MX310LW40.SB2.P449 and previousLW40.SB2.P450 and later
MX410, MX510, MX511 & XM1145LW40.SB4.P449 and previousLW40.SB4.P450 and later
MX610, MX611 & XM3150LW40.SB7.P449 and previousLW40.SB7.P450 and later
MX71x, MX81x, XM51xx & XM71xxLW40.TU.P449 and previousLW40.TU.P450 and later
MX6500eLF40.JD.P449 and previousContact Lexmark Technical Support.
MS911deLW40.SA.P448 and previousLW40.SA.P450 and later
MX91xLW40.MG.P449 and previousLW40.MG.P450 and later
2010 Models
X548 & XS548LHS30.VK.P345and previousLHS30.VK.P346 and later
X792 & XS796LHS30.MR.P345 and previousLHS30.MR.P346 and later
X925 & XS925LHS30.HK.P345 and previousLHS30.HK.P346 and later
X950, X952, X954 & XS955LHS30.TQ.P345 and previousLHS30.TQ.P346 and later
6500eLHS30.JR.P345 and previousLHS30.JR.P346 and later
2008 Models
E260 E360dLL.LBL.P539 and previousContact Lexmark Technical Support.
E360dnLL.LBM.P539 and previousContact Lexmark Technical Support.
E460 & E462LR.LBH.P672 and previousContact Lexmark Technical Support.
T650 T652 T654LR.JP.P677 and previousContact Lexmark Technical Support.
T656LSJ.SJ.P039 and previousContact Lexmark Technical Support.
W850LP.JB.P1644 and previousContact Lexmark Technical Support.
C540, C543 & C544LL.AS.P535 and previousContact Lexmark Technical Support.
C546LU.AS.P532 and previousContact Lexmark Technical Support.
C73xLR.SK.P691 and previousContact Lexmark Technical Support.
C920LS.TA.P153 and previousContact Lexmark Technical Support.
C935dnLC.JO.P091 and previousContact Lexmark Technical Support.
X46xLR.BS.P691 and previousLR.BS.P692 and later
X26x & X36xLL.BZ.P544 and previousContact Lexmark Technical Support.
X543 & X544LL.EL.P544 and previousContact Lexmark Technical Support.
X546LL.EL.P544 and previousContact Lexmark Technical Support.
X65xLR.MN.P691 and previousLR.MN.P692 and later
X73xLR.FL.P691 and previousLR.FL.P692 and later
X86xLP.SP.P692 and previousLP.SP.P693 and later
2006 and Previous Models
E450LM.SZ.P124 and previousContact Lexmark Technical Support.
T64xLS.ST.P347 and previousContact Lexmark Technical Support.
W840LS.HA.P253 and previousContact Lexmark Technical Support.
C52xLS.FA.P151 and previousContact Lexmark Technical Support.
C53xLS.SW.P070 and previousContact Lexmark Technical Support.
C77xLC.CM.P053 and previousContact Lexmark Technical Support.
C78xLC.IO.P188 and previousContact Lexmark Technical Support.
X20xLM1.MT.P233 and previousContact Lexmark Technical Support.
X642LC2.MB.P318 and previousContact Lexmark Technical Support.
X644 & X646LC2.MC.P374 and previousContact Lexmark Technical Support.
X64xefLC2.TI.P327 and previousContact Lexmark Technical Support.
X772eLC.TR.P291 and previousContact Lexmark Technical Support.
X782eLC2.TO.P336 and previousLC2.TO.P305cS and later
X78xLC2.IO.P336 and previousContact Lexmark Technical Support.
X85xLC4.BE.P488 and previousContact Lexmark Technical Support.
X94xLC.BR.P145 and previousContact Lexmark Technical Support.
25xxNLCL.CU.P114 and previousContact Lexmark Technical Support.
N4000LC.MD.P012d and previousContact Lexmark Technical Support.
N4050eGO.GO.N206 and previousContact Lexmark Technical Support.
N70xxeLC.CO.N309 and previousContact Lexmark Technical Support.
N8120 & N8130LR.MU.P311f and previousContact Lexmark Technical Support.

Only the devices listed above are affected, all other devices are not affected.

Workarounds

Lexmark recommends a firmware update if your device has affected firmware.

Obtaining Updated Software

To obtain the firmware that resolves this issue or if you have special code, please contact Lexmark Technical Support at Lexmark Support website, go to your product's support page and locate

Get In Touch with Lexmark! for contact information.

Lexmark Document Distributor

Applications running on Lexmark Document Distributor (LDD) versions 4.8.3 or later are not vulnerable, all earlier versions of LDD are vulnerable. A patch is available for the vulnerable versions of LDD that upgrades the OpenSSL library to version 1.0.1h.

Workarounds

Lexmark recommends applying the patch if you have a vulnerable version.

Obtaining Updated Software

To obtain the patch and installation instructions to resolve this issue, please contact your Lexmark Solutions Help Desk.

Lexmark Print Management, On-Premise

The on-premise version of the Lexmark Print Management application version 2.3.14.0 (or later) is not vulnerable, but versions 2.3.13 and previous are known to be vulnerable.

Workarounds

Lexmark recommends updating the application if you have a vulnerable version.

Obtaining Updated Software

To obtain software and installation instructions to resolve this issue, please contact your Lexmark Solutions Help Desk.

Lexmark Fleet Manager

Lexmark Fleet Manager 3.0 is not vulnerable, but Lexmark Fleet Manager 2.0 is.

An updated version of LFM 2.0 that fixes the vulnerability has been posted, and is available for immediate or automatic updating. The fixed versions of the affected LFM components are:

  • Lexmark Service Monitor: 2.27.4.0.31
  • Lexmark Fleet Tracker: 2.27.4.0.30

Workarounds

Lexmark recommends updating the affected components if you have a vulnerable version.

Obtaining Updated Software

Updates for Lexmark Fleet Manager 2.0 are automatically distributed via the activation server. To obtain instructions on how to perform manual update, please contact Lexmark Technical Support at Lexmark Support website, go to your product's support page and locate

Get In Touch with Lexmark! for contact information.

Perceptive Content

Perceptive Content versions 6.6, 6.7, and 6.8 are vulnerable when using Envoy to make outbound calls with SSL enabled.

Workarounds

Modify the server being called to use a non-vulnerable version of OpenSSL.

Obtaining Updated Software

An update is not currently available. Perceptive Software plans to resolve this vulnerability in a future release.

Perceptive Search

Perceptive Enterprise Search, versions 10.0, 10.1, 10.2, and 10.3 are vulnerable.

Workarounds

Perceptive recommends applying the patch.

Obtaining Updated Software

Perceptive Search 10.x OpenSSL 1.0.1h Patch is available via the Perceptive Software Customer Portal. (www.perceptivesoftware.com) This patch will be included in Perceptive Enterprise Search 10.4.

Perceptive Process

Perceptive Process, versions 2.8, 2.9, 3.0, and 3.1 are vulnerable on the Windows platform. On the UNIX platform Perceptive Process utilizes the OpenSSL libraries that are part of the platform and therefore patching OpenSSL on the platform will address the vulnerability.

Workarounds

There are currently no workarounds.

Obtaining Updated Software

An update is not currently available. Perceptive Software plans to have this rectified in Perceptive Process 3.3.

Exploitation and Public Announcements

Lexmark is not aware of any malicious use of the vulnerabilities described in this advisory.

Status of this Notice:

This document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.

Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

Revision Date Reason

1.0 18 – July – 2014 Initial Release 1.1 21 – July – 2014 Additional product information added.

LEGACY ID: TE626

Was this article helpful?
Top