Thank you for using our products.

Some of vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.

Vulnerability details

Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)

1. Some device web pages may cause stack-based buffer overflow
   Vulnerability number: CVE-2024-28038
2. Permission is incorrectly assigned for the file in which some sensitive information is stored and they can be viewed by exploiting another vulnerability
   Vulnerability number: CVE-2024-28955
3. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability Vulnerability number: CVE-2024-29146
4. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability
   Vulnerability number: CVE-2024-29978
5. Some sensitive information can be decrypted by exploiting another vulnerability
   Vulnerability number: CVE-2024-32151
6. Some device web pages may cause path traversal attacks
   Vulnerability number: CVE-2024-33605
7. Some device web pages have improper access control authority
   Vulnerability number: CVE-2024-33610
8. Improper credential information for executing some device feature may cause reference to internal information in the device
   Vulnerability number: CVE-2024-33616
9. Some device web pages may send credential information stored in the device unintentionally (This may be used by attackers who already hacked the device and obtained its authority.)
   Vulnerability number: CVE-2024-34162
10. Credential information for executing some device features are hard-coded and can be exploited by attackers who improperly obtained the credential information
    Vulnerability number: CVE-2024-35244
11. Credential information for accessing external sites are hard-coded and can be exploited by attackers who improperly obtained the credential information
    Vulnerability number: CVE-2024-36248
12. Some device web pages may cause cross-site scripting attacks
    Vulnerability number: CVE-2024-36249
13. Some device web pages may cause device hang-up due to out-of-bounds memory reference
    Vulnerability number: CVE-2024-36251
14. Some device web pages may cause device hang-up due to out-of-bounds memory reference
    Vulnerability number: CVE-2024-36254

Solution

Ask your service company to update the main unit software.

Workaround

When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.

Acknowledgments: These vulnerabilities were reported by
Pierre Barre (CVE-2024-28038 to CVE-2024-36248, CVE-2024-36251, CVE-2024-36254),
Morgan Davies of Cyber Security Specialists (CVE-2024-33610),
Pontus Hassen security researcher at Omegapoint (CVE-2024-36249),
Damien BOLUS – Torii Security (CVE-2024-36249), and
Jarrod Stebick (CVE-2024-36251 and CVE-2024-36254)
Thanks for these reports and for the progress they have made in addressing this issue.