Skip to Content Information Center
Lexmark CS510

Lexmark CS510

OpenSSL Heartbeat 'Heartbleed' Vulnerability

Lexmark Security Advisory:

Revision: 1.1 Last update: 18 April 2014 Public Release Date: 15 April 2014

Summary

OpenSSL Heartbeat Vulnerability Lexmark has learned of a vulnerability in certain versions of the open-source OpenSSL Library that allows unauthenticated access to private memory of printer devices and computer systems. Multiple Lexmark products are affected by this vulnerability. This advisory will be updated as additional information becomes available.

References

CVE:CVE-2014-0160

Details

On April 8, 2014 a vulnerability, commonly referred to as “Heartbleed” was announced in the open-source software package OpenSSL. Some versions of OpenSSL contain a flaw in its implementation of the TLS/DTLS heartbeat functionality. This flaw allows an attacker to access private memory of the application that uses the vulnerable OpenSSL library. This access may lead to the disclosure and compromise of authentication credentials (usernames/passwords, private keys, etc.) as well as user data.

Vulnerability Scoring Details

CVSS Base Score

:

5.0

Impact Subscore: 2.9

Exploitability Subscore: 10

Exploitability

:

Impact:

Access Vector: Network Confidentiality: Partial
Access Complexity: Low Integrity: None
Authentication:None Availability: None

CVSS scores are calculated in accordance with CVSS version 2.0 (

http://www.first.org/cvss/cvss-guide.html)

Impact

The impact of this vulnerability varies depending on the affected product.

Unaffected Products

The following products have been investigated and are not affected by this vulnerability:

  • Virtual Solutions Center
  • Cloud Deployment Platform
  • SmartSolutions
  • MarkVision Enterprise
  • Managed Print Services / Lexmark Data Collection Manager

We have confirmed that Perceptive Software products are not affected by this vulnerability.

Affected Products

The following products are known to be affected. For specific details see “Product Specific Information” below. Lexmark is assessing each product and will update this advisory as more information becomes available.

  • Selected Laser printer products
  • Lexmark Document Distributor
  • Lexmark Print Management, On-Premise
  • Lexmark Fleet Manager
  • Cloud Configuration Services

Product Specific Information

Lexmark is individually assessing each product and will update this advisory as more information becomes available.

Laser printer products

The following printers and MFPs are affected:

To determine what level of firmware a devices is running, select the “Reports” > ”Menu Settings Page” menu item from the operator panel. If the firmware is listed under “Affected Releases”, upgrade to a “Fixed Release”.

Lexmark ModelsAffected ReleasesFixed Releases
CS310LW20.VYL. P231 thru LW30.VYL. P355LW30.VYL. P356 and later
CS410LW20.VY2.P231 thru LW30.VY2.P355LW30.VY2.P356 and later
CS510LW20.VY4.P231 thru LW30.VY4.P355LW30.VY4.P356 and later
CX310LW20.GM2.P231 thru LW30.GM2.P355LW30.GM2.P356 and later
CX410LW20.GM4.P231 thru LW30.GM4.P355LW30.GM4.P356 and later
CX510LW20.GM7.P231 thru LW30.GM7.P355LW30.GM7.P356 and later
XC2132LW20.GM7.P231 thru LW30.GM7.P355LW30.GM7.P356 and later
MS310LW20.PRL.P231 thru LW30.PRL.P355LW30.PRL.P356 and later
MS410LW20.PRL.P231 thru LW30.PRL.P355LW30.PRL.P356 and later
MS510LW20.PR2.P231 thru LW30.PR2.P355LW30.PR2.P356 and later
MS610dn & MS610dtnLW20.PR2.P231 thru LW30.PR2.P355LW30.PR2.P356 and later
M1145 & M3150dnLW20.PR2.P231 thru LW30.PR2.P355LW30.PR2.P356 and later
MS610de & MS610dteLW20.PR4.P231 thru LW30.PR4.P355LW30.PR4.P356 and later
M3150LW20.PR4.P231 thru LW30.PR4.P355LW30.PR4.P356 and later
MS71xLW20.DN2.P231 thru LW30.DN2.P355LW30.DN2.P356 and later
MS810n, MS810dn & MS810dtnLW20.DN2.P231 thru LW30.DN2.P355LW30.DN2.P356 and later
MS811LW20.DN2.P231 thru LW30.DN2.P355LW30.DN2.P356 and later
MS812dn, MS812dtnLW20.DN2.P231 thru LW30.DN2.P355LW30.DN2.P356 and later
M5163dnLW20.DN2.P231 thru LW30.DN2.P355LW30.DN2.P356 and later
MS810deLW20.DN4.P231 thru LW30.DN4.P355LW30.DN4.P356 and later
M5155 & M5163LW20.DN4.P231 thru LW30.DN4.P355LW30.DN4.P356 and later
MS812deLW20.DN7.P231 thru LW30.DN7.P355LW30.DN7.P356 and later
M5170LW20.DN7.P231 thru LW30.DN7.P355LW30.DN7.P356 and later
MX310LW20.SB2.P231 thru LW30.SB2.P355LW30.SB2.P356 and later
MX410, MX510 & MX511LW20.SB4.P231 thru LW30.SB4.P355LW30.SB4.P356 and later
XM1145LW20.SB4.P231 thru LW30.SB4.P355LW30.SB4.P356 and later
MX610 & MX611LW20.SB7.P231 thru LW30.SB7.P355LW30.SB7.P356 and later
XM3150LW20.SB7.P231 thru LW30.SB7.P355LW30.SB7.P356 and later
MX71xLW20.TU.P231 thru LW30.TU.P355LW30.TU.P356 and later
MX81xLW20.TU.P231 thru LW30.TU.P355LW30.TU.P356 and later
XM51xx & XM71xxLW20.TU.P231 thru LW30.TU.P355LW30.TU.P356 and later
MX6500eLF20.JD.P231 thru LF30.JD.P355LF30.JD.P356 and later


NOTE:
Releases prior to .P231 were not affected.

Only the devices listed above are affected, all other devices are not affected.

The benefit of generating new device keys and certificates is dependent on the environment in which the device is deployed. If device certificates (self-signed and/or PKI signed) are utilize within the environment, it is suggested that customers evaluate the need to generate new keys and certificates based on their internal risk assessment.

Workarounds

Lexmark recommends a firmware update if your device has affected firmware.

Obtaining Updated Software

To obtain firmware that resolves this issue or if you have special code, please contact Lexmark’s Technical Support Center at http://support.lexmark.com/ to find your local support center.

Lexmark Document Distributor

Applications running on Lexmark Document Distributor (LDD) versions 4.7 & 4.8 are vulnerable; all earlier versions of LDD not affected by this vulnerability. A patch is available for the vulnerable versions of LDD that upgrades the OpenSSL library to version 1.0.1g.

Workarounds

Lexmark recommends applying the patch if you have a vulnerable version.

Obtaining Updated Software

To obtain the patch and installation instructions to resolve this issue, please contact your Lexmark Solutions Help Desk.

Lexmark Print Management, On-Premise

The on-premise version of the Lexmark Print Management application runs on LDD, therefore it is vulnerable when running on LDD versions 4.7 or 4.8. A patch is available for LDD that fixes the vulnerability, for details, see the section on Lexmark Document Distributor above.

This advisory will be updated as more information becomes available.

Workarounds

Lexmark recommends applying the patch if you have a vulnerable version.

Obtaining Updated Software

To obtain software and installation instructions to resolve this issue, please contact your Lexmark Solutions Help Desk.

Lexmark Fleet Manager

Lexmark Fleet Manager 3.0 is not vulnerable, but Lexmark Fleet Manager 2.0 is.

An updated vesion of LFM 2.0 that fixes the vulnerabilty has been posted, and is available for immediate or automatic updating.

The fixed versions of the affected LFM components are

  • Lexmark Service Monitor: 2.27.4.0.29
  • Lexmark Fleet Tracker: 2.27.4.0.28

Workarounds

Lexmark recommends updating the affected components if you hava a vulnerable version.

Obtaining Updated Software

Updates for Lexmark Fleet Manager 2.0 are automatically distrbuted via the activation server. To obtain instructions on how to perform manual update, please contact Lexmark's Technical Support Center at http://support.lexmark.com/ to find your local support center.

Exploitation and Public Announcements

Lexmark is aware of unconfirmed reports of malicious use of the vulnerability described in this advisory.

Status of this Notice:

This document is provided on an "as is" basis and is provided without any express or implied guarantee or warranty whatsoever, including but not limited to the warranties of merchantability and fitness for a particular use or purpose. Lexmark reserves the right to change or update this document at any time.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts.

Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

RevisionDateReason

1.015- April-2014Initial Public Release 1.1 18- April-2014 Updated information on software and services

LEGACY ID: TE597

Was this article helpful?
Top