Lexmark reports two vulnerabilities in over 120 relatively new printer models. Many devices are also for the SME sector and have network access. According to CVSSv3, a vulnerability has a base score of 9.0 and is therefore considered “critical”. Users of the models should urgently update the firmware, as remote attackers could run code.
In the list of current safety instructions from Lexmark, there are two current entries for which a firmware update is recommended. According to the Common Vulnerability Scoring System Version 3.0 – CVSSv3 for short, the CVE-2023-22960 vulnerability has a score of 5.3. However, the second vulnerability CVE-2023-23560 is much more serious with a score of 9.0 out of 10 and is considered critical!
Over 120 models with critical vulnerability
On the Lexware notice page, the critical vulnerability CVE-2023-2356 with a score of 9.0 is described only briefly and concisely: “A Server-Side Request Forgery (SSRF) vulnerability was found in the Web Services function of newer Lexmark devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on a device." An update is recommended immediately. The long list of devices also includes many newer and older models that are used in the SME sector and also have network access there.
Holey brute force protection
The second vulnerability, CVE-2023-22960, has a score of 5.3 that should not be neglected. The description of the vulnerability: “Successful exploitation of this vulnerability could lead to compromise of local account credentials.” Background: Lexmark devices have a feature that protects against brute force attacks on local credentials by temporarily locking an account for a period of time after a series of unsuccessful login attempts. The number of attempts and lockout time can be set by a device administrator. This vulnerability bypasses brute force protection and allows unrestricted attempts to guess a local account's credentials.
Updates with version trap!
Updates are available for both vulnerabilities. The small vulnerability with a score of 5.3 is already included in version XXXX.081.232 and will be fixed in version XXXX.081.233. But attention: the significantly more dangerous vulnerability with the critical score 9.0 is in Version XXXX.081.233 still included and will only be closed with version XXXX.081.234. Only use direct downloads from Lexmark to be safe.
More at Lexmark.com