Response to vulnerabilities in
Toshiba Tec's digital multi-function peripherals

June 14, 2024
Toshiba Tec Corporation

Thank you for using our products.

Some of vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: Refer to the Affected Product List (PDF:92.9KB)PDF

  1. Vulnerability Type: Improper Restriction of Recursive Entity References (CWE-776)
    With some APIs (Application Program Interfaces), it is possible to send HTTP requests to multifunction devices without authentication, which can cause the device to stop operating (DoS).
    Vulnerability identification number: CVE-2024-27141, CVE-2024-27142
  2. Vulnerability Type: Execution with Unnecessary Privileges (CWE-250)
    Because some programs run with root privileges, if the programs are hijacked through certain means, arbitrary code can be executed on the multifunction device.
    Vulnerability identification number: CVE-2024-27143, CVE-2024-27146, CVE-2024-27147
  3. Vulnerability Type: Weakness Variant (CWE-276)
    Due to inappropriate permission settings for some programs, if root privileges are hijacked through certain means, arbitrary code can be executed on the multifunction device.
    Vulnerability identification number: CVE-2024-27148, CVE-2024-27149, CVE-2024-27150, CVE-2024-27151, CVE-2024-27152, CVE-2024-27153, CVE-2024-27155, CVE-2024-27167, CVE-2024-27171
  4. Vulnerability Type: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')(CWE-22)
    With the web management program (TopAccess), it is possible to place any file in the multifunction device.
    Vulnerability identification number: CVE-2024-27144, CVE-2024-7145, CVE-2024-27173, CVE-2024-27174, CVE-2024-27176, CVE-Vulnerability identification number: 2024-27177, CVE-2024-27178
  5. Vulnerability Type: Insertion of Sensitive Information into Log File (CWE-532)
    Because some authentication information is written to the log file, by spoofing external communications, the information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27154, CVE-2024-27156, CVE-2024-27157
  6. Vulnerability Type: Plaintext Storage of an Important Information (CWE-256)
    Because some information is stored unencrypted, it can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27166
  7. Vulnerability Type: Debug Messages Revealing Unnecessary Information (CWE-1295)
    Because important information is included in the debugging log file, the information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27179
  8. Vulnerability Type: Use of Default Credentials (CWE-1392)
    Since common authentication information is included in the access between the internal programs of the multifunction device, information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27158
  9. Vulnerability Type: Use of Hard-coded Credentials (CWE-798)
    Because some of the authentication information between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27159, CVE-2024-27160, CVE-2024-27161, CVE-2024-27168, CVE-2024-27170
  10. Vulnerability Type: Use of Hard-coded Password (CWE-259)
    Because part of the authentication password between the multifunction device's internal programs is written directly into the program, the information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27164
  11. Vulnerability Type: Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') (CWE-79)
    There is a cross-site scripting vulnerability in the web management program (TopAccess), which allows information to be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27162
  12. Vulnerability Type: Cleartext Transmission of Sensitive Information (CWE-319)
    Because some of the communication between the internal programs of the multifunction device is not encrypted, information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27163
  13. Vulnerability Type: Least Privilege Violation (CWE-272)
    A vulnerable code set is used in part of the internal program code of the multifunction device, and information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27165
  14. Vulnerability Type: Missing Authentication for Critical Function (CWE-306)
    Because there is a way to access some APIs of the internal programs of multifunction devices without authorization, information can be stolen by a third party who has access to the multifunction device.
    Vulnerability identification number: CVE-2024-27169
  15. Vulnerability Type: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') (CWE-78)
    There is a way to access some APIs of the internal programs of multifunction devices without authorization, so arbitrary code can be executed on the multifunction device.
    Vulnerability identification number: CVE-2024-27172
  16. Vulnerability Type: External Control of File Name or Path (CWE-73)
    Some APIs in the internal programs of multifunction devices do not check the input of file names, so any file can be placed in the multifunction device.
    Vulnerability identification number: CVE-2024-27175
  17. Vulnerability Type: Time-of-check Time-of-use (TOCTOU) Race Condition (CWE-367)
    The encryption key used to install an application on the multifunction device becomes temporarily replaceable, allowing the information inside the multifunction device to be tampered with.
    Vulnerability identification number: CVE-2024-27180
  18. Vulnerability Type: Authentication Bypass Using an Alternate Path or Channel (CWE-288)
    When the user authentication function is disabled, it is possible to bypass the administrator authentication process for the web page for accessing the multifunction device's system information and uploading drivers.
    Vulnerability identification number: CVE-2024-3496
  19. Vulnerability Type: Relative Path Traversal (CWE-23)
    If a multifunction device has a directory traversal vulnerability and user authentication is disabled, files on the multifunction device can be overwritten or new files can be placed.
    Vulnerability identification number: CVE-2024-3497
  20. Vulnerability Type: Execution with Unnecessary Privileges (CW-250)
    If user authentication is disabled, a malicious file can be executed by enabling the service from the MFP's web interface, elevating its privileges to root.
    Vulnerability identification number: CVE-2024-3498
Solution
Ask your service company to update the main unit software.
Workaround
When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.

Acknowledgments: These vulnerabilities were reported by Pierre Barre (CVE-2024-27141 ~ CVE-2024-27180), and also, Zhenhua Huang、Harry Zhang、and Minmin as the members of Zero Day Initiative (CVE-2024-3496 ~ CVE-2024-3498).
Thanks for these reports and for the progress they have made in addressing this issue.