Fuji Xerox & Lexmark release a response to the hacking of the fax machines
According to the report from Check Point Research - Faxploit: Sending Fax Back to the Dark Ages, Fuji Xerox has responded to this fax vulnerability: Fax Vulnerability Affecting HP Printers, below is their reply:
Description
Embedded fax may be vulnerable to remote code execution flaws.
What you need to know?
Check Point Research were able to gain access using a phone line to send a fax that could take full control over a Hewlett Packard all-in-one printer, and later spread a payload inside the computer network accessible to the printer.
What Is Xerox Doing About This?
Xerox completed assessment to Xerox products.
As a reminder, our Common Criteria Certified MFDs certify our design, which separates the fax processing and the network interface thereby preventing an interconnection between the Public Switch Telephone Network and the Internal Network.
Impact
Assessments indicate:
Xerox Devices built on Xerox ConnectKey Technology are not affected by the fax exploit
Production products are not affected as they do not have FAX capability
Light production products that do have a fax optional kit are not affected by the fax exploit
All Product platforms not mentioned here are not affected
And how about Lexmark? We found that Lexmark has already released the solution to user. The security disclosure article can be found here: Lexmark Security Advisory: Lexmark Buffer Overflow Vulnerability
Summary
Lexmark has identified a buffer overflow vulnerability in some models of multi-function devices handling of color fax jobs.
References
CVE-2018-15519
CVE-2018-15520
Details
CVE-2018-15519
This vulnerability allows an attacker with crafted fax data to attack a Lexmark multifunction device. The vulnerability allows a remote attacker to execute arbitrary code via crafted color fax data.
CVE-2018-15520
This vulnerability allows an attacker with crafted fax data to attack a Lexmark multifunction device. This vulnerability allows a remote attacker to crash the device, creating a denial of service condition, or possibly to have unspecified other impact via crafted color fax data.
Impact
CVE-2018-15519
Successful exploitation of this vulnerability can also lead to an attacker being able to remotely execute arbitrary code on a device.This condition may continue until the crafted fax data is wiped from the device.
CVE-2018-15520
Successful exploitation of this vulnerability can lead to an attacker being able to crash a device, resulting in a denial-of-service until the crafted fax data is wiped from the device.
Affected Products
Many Lexmark products support Fax, and are affected by this vulnerability when they receive and process color fax jobs.
To determine a devices firmware level, select the “Settings” > “Reports” > ”Menu Setting Page” menu item from the operator panel. If the firmware level listed under “Device Information” matches any level under “Affected Releases”, then you should upgrade to a “Fixed Release”.
CVE-2018-15519
CVE-2018-15520
Obtaining Updated Software
To obtain firmware that resolves this issue, or if you have special code, please contact Lexmark's Technical Support Center at http://support.lexmark.com/ to find your local support center.
Workarounds
Disabling the “Enable Color Fax Receive” feature on a device will block the ability to exploit this vulnerability.
