Response to vulnerabilities in
Toshiba Tec's digital multi-function peripherals
May 31, 2024
Toshiba Tec Corporation
Thank you for using our products.
Some of vulnerabilities have been identified in some of our multi-function peripherals. This issue does not result in the leakage of information from the product to outside parties.
Vulnerability details
Target Products: e-STUDIO 908/ 1058/ 1208 (Introduced in North American market only)
- Some device web pages may cause stack-based buffer overflow
Vulnerability number: CVE-2024-28038 - Permission is incorrectly assigned for the file in which some sensitive information is stored and they can be viewed by exploiting another vulnerability
Vulnerability number: CVE-2024-28955 - Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability Vulnerability number: CVE-2024-29146
- Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability
Vulnerability number: CVE-2024-29978 - Some sensitive information can be decrypted by exploiting another vulnerability
Vulnerability number: CVE-2024-32151 - Some device web pages may cause path traversal attacks
Vulnerability number: CVE-2024-33605 - Some device web pages have improper access control authority
Vulnerability number: CVE-2024-33610 - Improper credential information for executing some device feature may cause reference to internal information in the device
Vulnerability number: CVE-2024-33616 - Some device web pages may send credential information stored in the device unintentionally (This may be used by attackers who already hacked the device and obtained its authority.)
Vulnerability number: CVE-2024-34162 - Credential information for executing some device features are hard-coded and can be exploited by attackers who improperly obtained the credential information
Vulnerability number: CVE-2024-35244 - Credential information for accessing external sites are hard-coded and can be exploited by attackers who improperly obtained the credential information
Vulnerability number: CVE-2024-36248 - Some device web pages may cause cross-site scripting attacks
Vulnerability number: CVE-2024-36249 - Some device web pages may cause device hang-up due to out-of-bounds memory reference
Vulnerability number: CVE-2024-36251 - Some device web pages may cause device hang-up due to out-of-bounds memory reference
Vulnerability number: CVE-2024-36254
- Solution
- Ask your service company to update the main unit software.
- Workaround
- When connecting to the Internet, connect to a network protected through a firewall as described in the manual. Additionally, enable user authentication function and manage your passwords appropriately.
Acknowledgments: These vulnerabilities were reported by
Pierre Barre (CVE-2024-28038 to CVE-2024-36248, CVE-2024-36251, CVE-2024-36254),
Morgan Davies of Cyber Security Specialists (CVE-2024-33610),
Pontus Hassen security researcher at Omegapoint (CVE-2024-36249),
Damien BOLUS – Torii Security (CVE-2024-36249), and
Jarrod Stebick (CVE-2024-36251 and CVE-2024-36254)
Thanks for these reports and for the progress they have made in addressing this issue.