CVE-2021-44738: Lexmark Security Advisories

This page provides information on new or recently updated security advisories for Lexmark products.

Cross Site Request Forgery (CVE-2019-10057)

Some older Lexmark devices embedded web server are vulnerable to a contain a cross site request forgery attack that allows a local account password to be changed without the knowledge of the authenticated user.

Directory Traversal Vulnerability (CVE-2018-18894)

A directory traversal vulnerability has been identified in the embedded web server used in older generation Lexmark devices. The vulnerability allows unauthenticated access to sensitive files on the device.

Apache Tomcat Vulnerability (CVE-2018-8037)

Markvision Enterprise (MVE) uses Apache Tomcat which is vulnerable to an information disclosure bug that could allow an attacker to reuse session credentials from a previous user’s session in a new session.

Apache Tomcat Vulnerability (CVE-2018-1336)

Markvision Enterprise (MVE) uses Apache Tomcat which is vulnerable to a bug that could allow an attacker to cause MVE to enter an infinite loop and produce a denial of service condition.

Lexmark Buffer Overflow Vulnerability (CVE-2018-15519, CVE-2018-15520)

Lexmark has identified a buffer overflow vulnerability in some models of multi-function devices handling of color fax jobs. This vulnerability allows an attacker with crafted fax data to create a denial of service condition, and in some situations to execute arbitrary code on an affected device.

KRACK Vulnerabilities (CVE-2017-13077, CVE-2017-13078, CVE-2017-13079, CVE-2017-13080, CVE-2017-13081, CVE-2017-13082, CVE-2017-13084, CVE-2017-13086, CVE-2017-13087, and CVE-2017-13088)

Lexmark has learned of a series of weaknesses in WPA2, the protocol that secures all modern protected WiFi networks. This vulnerability can allow the disclosure of information that was assumed to be safely encrypted.

Orpheus’ Lyre Vulnerability (CVE-2017-11103)

A vulnerability in Heimdal (an implementation of Kerberos 5) before release 7.4 allows remote attackers to impersonate services with Orpheus’ Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification.

Xalan Java Vulnerability (CVE-2014-0107)

Markvision Enterprise contains a vulnerability that allows remote attackers to bypass expected restrictions and load arbitrary classes or access external resources.

POODLE Vulnerability (CVE-2014-3566)

Lexmark has learned of a vulnerability in the SSLv3 protocol which allows an attacker with the ability to intercept and insert traffic (Man-In-The-Middle) to decrypt a portion of the encrypted communication.

Bash “shellshock” Vulnerabilities (CVE-2014-6271)

Lexmark has learned of a series of vulnerabilities in the open-source bash shell program that allows an attacker to execute arbitrary commands on a vulnerable system. No Lexmark devices or software products are affected by this vulnerability.

Open SSL CCS Injection Vulnerability (CVE-2014-0224)

Lexmark has learned of a group of vulnerabilities in certain versions of the open-source OpenSSL library that can be exploited by a Man-In-The-Middle attack. Multiple Lexmark products are affected by this vulnerability.

Open SSL Heartbleed Vulnerability (CVE-2014-0160)

Lexmark has learned of a vulnerability in certain versions of the open-source OpenSSL Library that allows unauthenticated access to private memory of printer devices and computer systems. Multiple Lexmark products are affected by this vulnerability.

HTML injection vulnerability (CVE-2013-6033)

Some Lexmark Printers do not properly sanitize user supplied values for the “Contact” and “Location” settings. This vulnerability can be exploited to execute arbitrary HTML or script code in the browser of anyone viewing the devices embedded web server.

Password Reset vulnerability (CVE-2013-6032)

Some Lexmark Printers and MarkNet devices will fail to authenticate a specially crafted password reset request. This vulnerability can be exploited to bypass authentication configured on the device.

Information leakage vulnerability (CVE-2011-4538)

Some Lexmark Multifunction Devices include sensitive configuration values in exported settings files. This vulnerability can be exploited to enable unauthorized disclosure of device configuration information.

FTP Denial of Service Security Vulnerability (CVE-2010-0618)

Some Lexmark Printers and MarkNet devices contain denial of service vulnerabilities in the FTP service. These vulnerabilities can be exploited with repeated aborted FTP connections to the printer, causing the printer to ignore incoming TCP network connections to multiple services.