CVE-2023-46327: Notification on the vulnerability in the encryption method used in the Address Book : FUJIFILM Business Innovation Corp.

October 31, 2023

Dear Customers,

We would like to thank you for your continuous support to FUJIFILM products. We have confirmed a vulnerability in the encryption method used for the address book of FUJIFILM multifunctional printers.

Please refer to the description below for further details and consider applying the fixed firmware.

Details of the vulnerability

The multifunctional printers of FUJIFILM have a function that enables users to retrieve information registered in its address book. When the address book information is retrieved using this function, the credentials in the retrieved information are encrypted.

There is a vulnerability in that encryption method where cryptography used to protect the credentials is weak. When the cryptography is cracked, the credentials in the address books are exposed.

Countermeasure

Please update the firmware to the fixed version.

For customers who have accepted the automatic firmware upgrade with the EP-BB maintenance contract, the firmware upgrade will be done by the EP-BB function after the release of the fixed firmware.

For other customers, please contact FUJIFILM Business Innovation via the support website at https://support-fb.fujifilm.com/

Workarounds

We would like the customers to perform the below workarounds until the firmware is updated to the fixed version. It is possible to reduce the risk of attack.

• Please use your multi-function or single-function printers within the network protected by firewall etc.
• If access from the Internet is permitted, please consider allowing the access to restricted IP addresses only or use VPN to connect.

Acknowledgements

We would like to express gratitude to Kunal Thakrar and Ceri Coburn from Pen Test Partners for the finding of the vulnerability.

Contact

Please visit FUJIFILM Business Innovation support website to find for more details:

https://support-fb.fujifilm.com/

Affected models and versions and fixed firmware versions

Affected models

Affected firmware versions

Fixed firmware versions

Apeos 3560 /3060 / 2560 / 3560 GK /3060 GK / 2560 GK

1.0.0-1.2.16

1.2.17

1.20.0-1.26.10

1.26.11

Apeos 5330 / 4830

All versions older than the fixed version

1.20.9

Apeos 5570 / 4570

1.0.0-1.3.6

1.3.7

1.21.0-1.26.9

1.26.10

Apeos 6340

1.0.0-1.2.11

1.2.12

1.20.0-1.20.5

1.20.6

Apeos 7580 / 6580

All versions older than the fixed version

1.26.9

Apeos C2570 / C3070 / C3570 / C4570 / C5570 / C6570 / C7070

1.0.0-1.3.7

1.3.8

1.21.0-1.26.11

1.26.12

Apeos C3060 / C2560 / C2060 /C3060 GK / C2560 GK / C2060 GK

1.0.0-1.2.14

1.2.15

1.20.0-1.26.10

1.26.11

Apeos C4030 / C3530

All versions older than the fixed version

1.20.10

Apeos C5240

1.0.0-1.2.12

1.2.13

1.20.0-1.20.6

1.20.7

Apeos C8180 / C7580 / C6580

1.0.0-1.3.7

1.3.8

1.21.0-1.26.12

1.26.13

ApeosPort C3060 / C2560 / C2060 / C3060 G / C2560 G / C2060 G

1.0.0-1.60.15

1.60.16

ApeosPort 3560 / 3060 / 2560 / 3560 G / 3060 G / 2560 G

1.0.0-1.60.16

1.60.17

ApeosPort 5570 / 4570 / 3570 / 5570 G / 4570 G

All versions older than the fixed version

1.60.16

ApeosPort C7070 / C6570 / C5570 / C4570 / C3570 / C3070

All versions older than the fixed version

1.60.18

ApeosPort-VII 5021 / 4021

1.5.0-1.60.14

1.60.16

1.0.0-1.60.2

1.60.3

ApeosPort-VII C4421 / C3321

1.5.0-1.60.14

1.60.16

1.0.0-1.60.2

1.60.3

ApeosPro C810 / C750 / C650

1.0.0-1.3.6

1.3.7

1.21.0-1.26.14

1.26.14

PrimeLink C9070 / C9065

All versions older than the fixed version

1.145.4

Revoria Press E1136 / E1125 / E1110 / E1100

1.0.0-1.3.5

1.3.6

1.21.0-1.26.11

1.26.12

RevoriaPress SC180 / SC170

All versions older than the fixed version

1.22.8

Go to top