Skip to Content Information Center
Lexmark X792

Lexmark X792

Not your product?

Lexmark Security Advisory: Directory Traversal Vulnerability

Lexmark Security Advisory:

Revision: 1
Last update: 25 February 2021
Public Release Date: 18 December 2018

Summary

Lexmark devices contain a directory traversal vulnerability.

This advisory has been updated to list additional affected devices listed in bold.

References

  • CVE-2018-18894

Details

A directory traversal vulnerability has been identified in the embedded web server used in older generation Lexmark devices. The vulnerability allows unauthenticated access to sensitive files on the device.

CVSS v3 Base Score:7.5(AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NH)
Impact Subscore:5.9
Exploitability Score:3.9

CVSSv3 scores are calculated in accordance with CVSS version 3.0 (https://www.first.org/cvss/user-guide)

Impact

Successful exploitation of this vulnerability can lead to the disclosure of configuration and operating system information on the affected device.

Affected Products

To determine a device's firmware level, select the “Settings” > “Reports” > ”Menu Setting Page” menu item from the operator panel. If the firmware level listed under “Device Information” matches any level under “Affected Releases”, then you should upgrade to a “Fixed Release”.

Lexmark ModelsAffected ReleasesFixed Releases
CX82x, CX860, XC6152, XC8155, XC8160CXTPP.041.243 and previousCXTPP.050.040 and later
CX72x, XC41x0CXTAT.041.243 and previousCXTAT.050.040 and later
CX92x, XC92x5CXTMH.041.243 and previousCXTMH.050.040 and later
CS820, C6160CSTPP.041.243 and previousCSTPP.050.040 and later
CS72x, C4150CSTAT.041.243 and previousCSTAT.050.040 and later
CS92xCSTMH.041.243 and previousCSTMH.050.040 and later
CS41xLW71.VY2.P215 and previousLW71.VY2.P216 and later
CS51xLW71.VY4.P215 and previousLW71.VY4.P216 and later
CX410LW71.GM4.P215 and previousLW71.GM4.P216 and later
CX510, XC2132LW71.GM7.P215 and previousLW71.GM7.P216 and later
MS610de, MS610dteLW71.PR4.P215 and previousLW71.PR4.P216 and later
M3150LW71.PR4.P215 and previousLW71.PR4.P216 and later
MS810deLW71.DN4.P215 and previousLW71.DN4.P216 and later
M5155, M5163LW71.DN4.P215 and previousLW71.DN4.P216 and later
MS812deLW71.DN7.P215 and previousLW71.DN7.P216 and later
M5170LW71.DN7.P215 and previousLW71.DN7.P216 and later
MS91xLW71.SA.P215 and previousLW71.SA.P216 and later
MX410, MX510, MX511LW71.SB4.P215 and previousLW71.SB4.P216 and later
XM1145LW71.SB4.P215 and previousLW71.SB4.P216 and later
MX610, MX611LW71.SB7.P215 and previousLW71.SB7.P216 and later
XM3150LW71.SB7.P215 and previousLW71.SB7.P216 and later
MX71xLW71.TU.P215 and previousLW71.TU.P216 and later
MX81xLW71.TU.P215 and previousLW71.TU.P216 and later
XM51xx, XM71xxLW71.TU.P215 and previousLW71.TU.P216 and later
MX91x, SM91xLW71.MG.P215 and previousLW71.MG.P216 and later
MX6500eLW71.JD.P215 and previousLW71.JD.P216 and later
C748, CS748LHS60.CM4.P682 and previousLHS60.CM4.P683 and previous
C79x, CS796LHS60.HC.P682 and previousLHS60.HC.P683 and previous
C925LHS60.HV.P682 and previousLHS60.HV.P683 and previous
C95xLHS60.TP.P682 and previousLHS60.TP.P683 and previous
X548, XS548LHS60.VK.P682 and previousLHS60.VK.P683 and previous
X74x, XS478LHS60.NY.P682 and previousLHS60.NY.P683 and previous
X792, XS79xLHS60.MR.P682 and previousLHS60.MR.P683 and previous
X925, XS925LHS60.HK.P682 and previousLHS60.HK.P683 and previous
X95x, XS95xLHS60.TQ.P682 and previousLHS60.TQ.P683 and previous
6500eLHS60.JR.P682 and previousLHS60.JR.P683 and previous
X46xLR.BS.P809 and previousLR.BS.P810 and previous
X65xLR.MN.P809 and previousLR.MN.P810 and previous
X73xLR.FL.P809 and previousLR.FL.P810 and previous
X86xLR.SP.P809 and previousLR.SP.P810 and previous
C734 LR.SK.P809 and previousLR.SK.P810 and later
W850LR.JB.P809 and previousLR.JB.810 and later

Obtaining Updated Software

To obtain firmware that resolves this issue, or if you have special code, please contact Lexmark's Technical Support Center at http://support.lexmark.com to find your local support center.

Workarounds

Lexmark recommends a firmware update if your device has affected firmware.

Exploitation and Public Announcements

Lexmark is not aware of any malicious use against Lexmark products of the vulnerability described in this advisory.

Lexmark would like to thank Benjamin Rollin of GuidePoint Security for bringing this to our attention.

Status of this Notice:

THIS DOCUMENT IS PROVIDED ON AN "AS IS" BASIS AND IS PROVIDED WITHOUT ANY EXPRESS OR IMPLIED GUARANTEE OR WARRANTY WHATSOEVER, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR USE OR PURPOSE. LEXMARK RESERVES THE RIGHT TO CHANGE OR UPDATE THIS DOCUMENT AT ANY TIME.

Distribution

This advisory is posted on Lexmark’s web site at http://support.lexmark.com/alerts. Future updates to this document will be posted on Lexmark’s web site at the same location.

Revision History

RevisionDateReason
1.018 December 2018Initial Public Release
1.125 February 2018 Updated affected product list

Top

LEGACY ID: TE906
Was this article helpful?


Related content

Top