Toshiba Multi-Function Printers Impacted by 40+ Vulnerabilities

A number of new vulnerabilities have been found in Toshiba e-STUDIO Multi-Operate Printers (MFPs) which are utilized by companies and organizations worldwide.

These vulnerabilities have an effect on 103 totally different fashions of Toshiba Multi-Operate Printers. 

Vulnerabilities recognized embody Distant Code execution, XML Exterior Entity Injection (XXE), Privilege Escalation, Authentication credential leak, DOM-based XSS, Insecure Permissions, TOCTOU (Time-Of-Verify to Time-Of-Use) situations, and lots of others.

"Is Your System Beneath Assault? Strive Cynet XDR: Automated Detection & Response for Endpoints, Networks, & Customers!"- Free Demo

Toshiba Multi-Operate Printers

In response to the studies shared with Cyber Safety Information, CVE-2024-27171 and CVE-2024-27180 have an effect on the implementation of third-party software programs and in addition the third-party functions which are put in by default on Toshiba Printers.

A risk actor can exploit Toshiba Multi-function printers utilizing a number of vulnerabilities. The listing of Affected Toshiba MFP fashions is as follows:

Moreover, it was additionally talked about that the bodily safety of the printers was not analyzed, and the vulnerabilities have been confirmed in several fashions that run the most recent firmware variations, equivalent to 

• e-STUDIO2010AC
• e-STUDIO3005AC
• e-STUDIO3508A
• e-STUDIO5018A

Additional, all these printers run in Linux and are highly effective and could be leveraged by a risk actor to maneuver laterally inside infrastructures.

40 vulnerabilities had been reported to Toshiba, and vital safety advisories have been printed to handle these vulnerabilities.

1. CVE-2024-27141 – Pre-authenticated Blind XML Exterior Entity (XXE) injection – DoS
2. CVE-2024-27142 – Pre-authenticated XXE injection
3. CVE-2024-27143 – Pre-authenticated Distant Code Execution as root
4. CVE-2024-27144 – Pre-authenticated Distant Code Execution as root or apache and a number of Native Privilege Escalations
   4.1. Distant Code Execution – Add of a brand new .py module inside WSGI Python packages
   4.2. Distant Code Execution – Add of a brand new .ini configuration information inside WSGI Python packages
   4.3. Distant Code Execution – Add of a malicious script /tmp/backtraceScript.sh and injection of malicious gdb instructions
   4.4. Distant Code Execution – Add of a malicious /house/SYSROM_SRC/construct/widespread/bin/sapphost.py program
   4.5. Distant Code Execution – Add of malicious libraries
   4.6. Different methods to get Distant Code Execution
5. CVE-2024-27145 – A number of Put up-authenticated Distant Code Executions as root
6. CVE-2024-27146 – Lack of privileges separation
7. CVE-2024-27147 – Native Privilege Escalation and Distant Code Execution utilizing snmpd
8. CVE-2024-27148 – Native Privilege Escalation and Distant Code Execution utilizing insecure PATH
9. CVE-2024-27149 – Native Privilege Escalation and Distant Code Execution utilizing insecure LD_PRELOAD
10. CVE-2024-27150 – Native Privilege Escalation and Distant Code Execution utilizing insecure LD_LIBRARY_PATH
11. CVE-2024-27151 – Native Privilege Escalation and Distant Code Execution utilizing insecure permissions for 106 packages
    11.1. 3 weak packages not working as root
    11.2. 103 weak packages working as root
12. CVE-2024-27152 – Native Privilege Escalation and Distant Code Execution utilizing insecure permissions for libraries
    12.1. Instance with /house/SYSROM_SRC/bin/syscallerr
13. CVE-2024-27153 – Native Privilege Escalation and Distant Code Execution utilizing CISSM
14. CVE-2024-27154 and CVE-2024-27155 – Passwords saved in clear-text logs and insecure logs
    14.1. Clear-text password written in logs when an consumer logs into the printer
    14.2. Clear-text password written in logs when a password is modified
15. CVE-2024-27156 – Leak of authentication periods in insecure logs in /ramdisk/work/log listing
16. CVE-2024-27157 – Leak of authentication periods in insecure logs in /ramdisk/al/community/log listing
17. CVE-2024-27158 – Hardcoded root password
18. CVE-2024-27159 – Hardcoded password used to encrypt logs
19. CVE-2024-27160 – Hardcoded password used to encrypt logs and use of a weak digest cipher
20. CVE-2024-27161 – Hardcoded password used to encrypt information
21. CVE-2024-27162 – DOM-based XSS current within the /js/TopAccessUtil.js file
22. CVE-2024-27163 – Leak of admin password and passwords
23. CVE-2024-27164 – Hardcoded credentials in telnetd
24. CVE-2024-27165 – Native Privilege Escalation utilizing PROCSUID
25. CVE-2024-27166 – Insecure permissions for core information
26. CVE-2024-27167 – Insecure permissions used for Sendmail – Native Privilege Escalation
27. CVE-2024-27168 – Hardcoded keys present in Python functions used to generate authentication cookies
28. CVE-2024-27169 – Lack of authentication in WebPanel – Native Privilege Escalation
29. CVE-2024-27170 – Hardcoded credentials for WebDAV entry
30. CVE-2024-27171 – Insecure permissions
31. CVE-2024-27172 – Distant Code Execution – command injection as root
32. CVE-2024-27173 – Distant Code Execution – insecure add
33. CVE-2024-27174 – Distant Code Execution – insecure add
34. CVE-2024-27175 – Native File Inclusion
35. CVE-2024-27176 – Distant Code Execution – insecure add
36. CVE-2024-27177 – Distant Code Execution – insecure add
37. CVE-2024-27178 – Distant Code Execution – insecure copy
38. CVE-2024-27179 – Session disclosure contained in the log information within the set up of functions
39. CVE-2024-27180 – TOCTOU vulnerability within the set up of functions, permitting to put in rogue functions and get RCE

Customers of those Toshiba merchandise are advisable to improve to the most recent model as per Toshiba’s safety advisory to stop these vulnerabilities from getting exploited by risk actors.

Are you from SOC/DFIR Groups? - Join a free ANY.RUN account! to Analyse Superior Malware Recordsdata