Security
Headlines
HeadlinesLatestCVEs

Headline

CVE-2022-45796: Sharp Corporation

Command injection vulnerability in nw_interface.html in SHARP multifunction printers (MFPs)'s Digital Full-color Multifunctional System 202 or earlier, 120 or earlier, 600 or earlier, 121 or earlier, 500 or earlier, 402 or earlier, 790 or earlier, and Digital Multifunctional System (Monochrome) 200 or earlier, 211 or earlier, 102 or earlier, 453 or earlier, 400 or earlier, 202 or earlier, 602 or earlier, 500 or earlier, 401 or earlier allows remote attackers to execute arbitrary commands via unspecified vectors.

CVE
#vulnerability#web#git#perl#auth#chrome

About Command Injection Security Vulnerability in SHARP Multifunctional Products (MFP)

Command injection security vulnerability was identified and may impact some MFPs that are not properly protected with a strong admin password and firewall. The following is a summary of the vulnerability, affected models, and countermeasures:

Vulnerability identification number

JVNVU#96195138 / CVE-2022-45796

Affected models and firmware version

See the separate table below.

Condition to enable attacks using this vulnerability

To enable attackers to successfully attack the MFP using this vulnerability, they require access to:

  • ● Target MFP via network within firewall
  • ● MFP administrator password

Possible impacts

If the above conditions are fulfilled, attackers may execute arbitrary command codes on the MFP.

Mitigation measures

To mitigate security risks and the command injection vulnerability, ensure to protect your MFPs and apply the following countermeasures.

  • ● Change admin password from factory default and securely store and manage the password.
  • ● Do not expose MFPs directly to the Internet. Connect them via a firewall or similar network appliance.

If the above countermeasures are not practiced, devices may be accessed by attackers and cause data leakage.

Countermeasure

Sharp released updated firmware to mitigate the command injection vulnerability. For details, consult your authorized Sharp service providers.

Acknowledgment

This vulnerability was reported by ZUSO Advanced Research Team in Taiwan. We truly appreciate their report.

Information

JVNVU#96195138 Command Injection vulnerability in SHARP Multifunctional Products (MFP):
https://jvn.jp/en/vu/JVNVU96195138/index.html
CVE: https://www.cve.org/CVERecord?id=CVE-2022-45796

■ Affected models and firmware versions

Category

Model name

Firmware version affected (see note)
* Check the 2nd to 4th digits of the firmware version

Digital Full-color Multifunctional System

BP-70C65/BP-70C55/BP-70C45/
BP-70C36/BP-70C31/
BP-60C45/BP-60C36/BP-60C31/
BP-50C65/BP-50C55/BP-50C45/
BP-50C36/BP-50C31/BP-50C26/
BP-55C26

“202” or earlier

MX-8081/MX-7081

“120” or earlier

MX-6071/MX-5071/MX-4071/
MX-3571/MX-3071/
MX-4061/MX-3561/MX-3061/
MX-6051/MX-5051/MX-4051/
MX-3551/MX-3051/MX-2651/
MX-6071S/MX-5071S/MX-4071S/
MX-3571S/MX-3071S
MX-4061S/MX-3561S/MX-3061S

“600” or earlier

BP-30C25
BP-30C25Y
BP-30C25Z
BP-30C25T

“121” or earlier

MX-7580N/MX-6580N

“500” or earlier

MX-8090N/MX-7090N

“402” or earlier

MX-6070N/MX-5070N/MX-4070N/
MX-3570N/MX-3070N/
MX-4060N/MX-3560N/MX-3060N/
MX-6070V/MX-5070V/MX-4070V/
MX-3570V/MX-3070V/
MX-4060V/MX-3560V/MX-3060V/
MX-6070N A/MX-4070N A/MX-3070N A
MX-6070V A/MX-4070V A/MX-3070V A

“790” or earlier

MX-6050N/MX-5050N/
MX-4050N/MX-3550N/MX-3050N/
MX-6050V/MX-5050V/
MX-4050V/MX-3550V/MX-3050V/
MX-2630N/
MX-3050N A/
MX-3050V A

“790” or earlier

MX-C304W/MX-C303W/
MX-C304/MX-C303/
MX-C304WH/MX-C303WH

“500” or earlier

Digital Multifunctional System (Monochrome)

BP-70M90/BP-70M75

“200” or earlier

BP-70M65/BP-70M55/BP-70M45/
BP-70M36/BP-70M31/
BP-50M55/BP-50M50/BP-50M45/
BP-50M36/BP-50M31/BP-50M26

“211” or earlier

MX-M1206/MX-M1056

“102” or earlier

MX-M7570/MX-M6570

“453” or earlier

MX-M6071/MX-M5071/MX-M4071/
MX-M3571/MX-M3071/
MX-M6051/MX-M5051/MX-M4051/
MX-M3551/MX-M3051/MX-M2651/
MX-M3571S/MX-M3071S/
MX-M6071S/MX-M5071S/MX-M4071S

“400” or earlier

BP-30M35/BP-30M31/BP-30M28/
BP-30M35T/BP-30M31T/BP-30M28T

“202” or earlier

MX-B476W/MX-B376W/
MX-B456W/MX-B356W/
MX-B476WH/MX-B376WH/
MX-B456WH/MX-B356WH

“400” or earlier

MX-M905

“602” or earlier

MX-M6070/MX-M5070/MX-M4070/
MX-M3570/MX-M3070/
MX-M6050/MX-M5050/MX-M4050/
MX-M3550/MX-M3050/
MX-M2630/
MX-M6070 A/MX-M4070 A/MX-M3070 A/
MX-M3050 A/
MX-M2630 A

“500” or earlier

MX-B455W/MX-B355W/
MX-B455WZ/MX-B355WZ/
MX-B455WT/MX-B355WT

“401” or earlier

NOTE: Follow the steps to check firmware version of your MFP.
Administrator login is required:

  • ● Select [Settings] icon from the operation panel.
  • If you are accessing the MFP from your PC within the network, you may access the MFP settings via Web browser by entering its IP address.
  • ● Select [Status] tab.
  • Select [Firmware version].
  • ● The 16-digit alphanumeric string after “BUNDLE” (two 8-digit alphanumeric strings connected with an underscore) is the firmware version
  • (e.g., 0510Z200_22040400).

Related news

Sharp Multi-Function Printer 18 Vulnerabilities

308 different models of Sharp Multi-Function Printers (MFP) are vulnerable to 18 different vulnerabilities including remote code execution, local file inclusion, credential disclosure, and more.

CVE: Latest News

CVE-2023-50976: Transactions API Authorization by oleiman · Pull Request #14969 · redpanda-data/redpanda
CVE-2023-6905
CVE-2023-6903
CVE-2023-6904
CVE-2023-3907