Response to vulnerabilities in
Toshiba Tec's digital multi-function peripherals

May 31, 2024
Toshiba Tec Corporation

Thank you for using our products.

Some of vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)

  1. Some device web pages may cause stack-based buffer overflow
    Vulnerability number: CVE-2024-28038
  2. Permission is incorrectly assigned for the file in which some sensitive information is stored and they can be viewed by exploiting another vulnerability
    Vulnerability number: CVE-2024-28955
  3. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability Vulnerability number: CVE-2024-29146
  4. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability
    Vulnerability number: CVE-2024-29978
  5. Some sensitive information can be decrypted by exploiting another vulnerability
    Vulnerability number: CVE-2024-32151
  6. Some device web pages may cause path traversal attacks
    Vulnerability number: CVE-2024-33605
  7. Some device web pages have improper access control authority
    Vulnerability number: CVE-2024-33610
  8. Improper credential information for executing some device feature may cause reference to internal information in the device
    Vulnerability number: CVE-2024-33616
  9. Some device web pages may send credential information stored in the device unintentionally (This may be used by attackers who already hacked the device and obtained its authority.)
    Vulnerability number: CVE-2024-34162
  10. Credential information for executing some device features are hard-coded and can be exploited by attackers who improperly obtained the credential information
    Vulnerability number: CVE-2024-35244
  11. Credential information for accessing external sites are hard-coded and can be exploited by attackers who improperly obtained the credential information
    Vulnerability number: CVE-2024-36248
  12. Some device web pages may cause cross-site scripting attacks
    Vulnerability number: CVE-2024-36249
  13. Some device web pages may cause device hang-up due to out-of-bounds memory reference
    Vulnerability number: CVE-2024-36251
  14. Some device web pages may cause device hang-up due to out-of-bounds memory reference
    Vulnerability number: CVE-2024-36254
Solution
Ask your service company to update the main unit software.
Workaround
When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.

Acknowledgments: These vulnerabilities were reported by
Pierre Barre (CVE-2024-28038 to CVE-2024-36248, CVE-2024-36251, CVE-2024-36254),
Morgan Davies of Cyber Security Specialists (CVE-2024-33610),
Pontus Hassen security researcher at Omegapoint (CVE-2024-36249),
Damien BOLUS – Torii Security (CVE-2024-36249), and
Jarrod Stebick (CVE-2024-36251 and CVE-2024-36254)
Thanks for these reports and for the progress they have made in addressing this issue.