Lexmark SMB printers with critical 9.0 vulnerability

B2B Cyber ​​Security ShortNews

Share post

Lexmark reports two vulnerabilities in over 120 relatively new printer models. Many devices are also for the SME sector and have network access. According to CVSSv3, a vulnerability has a base score of 9.0 and is therefore considered “critical”. Users of the models should urgently update the firmware, as remote attackers could run code.

In the list of current safety instructions from Lexmark, there are two current entries for which a firmware update is recommended. According to the Common Vulnerability Scoring System Version 3.0 – CVSSv3 for short, the CVE-2023-22960 vulnerability has a score of 5.3. However, the second vulnerability CVE-2023-23560 is much more serious with a score of 9.0 out of 10 and is considered critical!


Over 120 models with critical vulnerability

On the Lexware notice page, the critical vulnerability CVE-2023-2356 with a score of 9.0 is described only briefly and concisely: “A Server-Side Request Forgery (SSRF) vulnerability was found in the Web Services function of newer Lexmark devices. Successful exploitation of this vulnerability could allow a remote attacker to execute arbitrary code on a device." An update is recommended immediately. The long list of devices also includes many newer and older models that are used in the SME sector and also have network access there.

Holey brute force protection

The second vulnerability, CVE-2023-22960, has a score of 5.3 that should not be neglected. The description of the vulnerability: “Successful exploitation of this vulnerability could lead to compromise of local account credentials.” Background: Lexmark devices have a feature that protects against brute force attacks on local credentials by temporarily locking an account for a period of time after a series of unsuccessful login attempts. The number of attempts and lockout time can be set by a device administrator. This vulnerability bypasses brute force protection and allows unrestricted attempts to guess a local account's credentials.

Updates with version trap!

Updates are available for both vulnerabilities. The small vulnerability with a score of 5.3 is already included in version XXXX.081.232 and will be fixed in version XXXX.081.233. But attention: the significantly more dangerous vulnerability with the critical score 9.0 is in Version XXXX.081.233 still included and will only be closed with version XXXX.081.234. Only use direct downloads from Lexmark to be safe.

More at Lexmark.com


Matching articles on the topic

SAP patches close serious security gaps

On its patch day, SAP published a list of 19 new security gaps and related updates. This is also necessary, because ➡ Read more

Lazarus: New backdoor against targets in Europe 

The APT group Lazarus, known for many attacks, is also using a new backdoor malware against targets in Europe. The purposes ➡ Read more

Critical vulnerabilities in Lexmark printers

The manufacturer of corporate printers Lexmark has once again warned its users of critical vulnerabilities. In dozens of his models are in the ➡ Read more

ALPHV claims to have hacked camera manufacturer Ring

In addition to many private users, the provider Ring also supplies small companies with cameras, surveillance systems and video doorbells. Now you can find it ➡ Read more

BSI warns: exploitation of a vulnerability in MS Outlook

The BSI warns of a vulnerability in Outlook that is apparently already being actively exploited. The CVSS score of the vulnerability is enclosed ➡ Read more

Backdoor: Chinese hacker group attacks Europe

The Chinese hacker group Mustang Panda is stepping up its attacks on targets in Europe, Australia and Taiwan. Researchers from the IT security manufacturer ESET covered ➡ Read more

Improved security solution for Mac computers

The IT security manufacturer ESET has presented its latest version of ESET Cyber ​​Security for macOS. The security solution for Mac computers has numerous ➡ Read more

AV-TEST gives 27 awards to the best security products

The Magdeburg institute AV-TEST gives 27 awards to 14 companies in the security industry for particularly good products for private users ➡ Read more