We would like to inform you that a security vulnerability has been confirmed in KYOCERA Command Center RX (hereinafter referred to as "CCRX"), which allows users to check and change various settings of multifunction devices provided by Kyocera Document Solutions over the network.
The following is an overview of the issue and how to resolve it. As of the date of publication of this notice, we have not confirmed any attacks that take advantage of this vulnerability.
【Vulnerability description】
1. Path Traversal
CCRX has a Path Traversal vulnerability. Path Traversal is an attack on web applications. By manipulating the value of the file path, an attacker can gain access to the file system, including source code and critical system settings.
Vulnerability number: CVE-2023-34259
2. Denial of Service (DoS)
There is a vulnerability that makes CCRX unusable by a DoS attack. By manipulating the value of the file path, CCRX may become unresponsive.
Vulnerability number: CVE-2023-34260
3. User Enumeration
By trying to login many times, an attacker can grasp if there is a login username in data base for device at CCRX login.
Vulnerability number: CVE-2023-34261
【Countermeasures】
As a countermeasure, we provide firmware that controls the paths managed by CCRX. Please contact your local distributor to apply the firmware.
For protecting "3. User Enumeration" vulnerability, CCRX already has a feature for avoiding this attack. So, we strongly recommend enabling an account lock function in CCRX. The detailed explanation about account lock function is in User Manual. If the account lock function is configured properly username and password are not compromised, because attacker cannot keep attacking continuously.
【Affected Products】
Color MFPs:
TASKalfa 8353ci, TASKalfa 7353ci, TASKalfa 7054ci, TASKalfa 6054ci, TASKalfa 5054ci, TASKalfa 4054ci, TASKalfa 3554ci, TASKalfa 2554ci, TASKalfa 6053ci, TASKalfa 5053ci, TASKalfa 4053ci, TASKalfa 3253ci, TASKalfa 2553ci, TASKalfa 508ci, TASKalfa 408ci, TASKalfa 358ci, TASKalfa 406ci, TASKalfa 356ci, TASKalfa 308ci, TASKalfa 307ci, TASKalfa 306ci, ECOSYS MA2100cwfx, ECOSYS MA2100cfx, TASKalfa Pro 15000c
Monochrome MFPs:
TASKalfa 9003i, TASKalfa 8003i, TASKalfa 7003i, TASKalfa 7004i, TASKalfa 6004i, TASKalfa 5004i, TASKalfa 6003i, TASKalfa 5003i, ECOSYS MA6000ifx, ECOSYS MA5500ifx, ECOSYS MA4500ifx, ECOSYS MA4500fx, ECOSYS MA4500ix, ECOSYS MA4500x, TASKalfa MZ4000i, TASKalfa MZ3200i, TASKalfa 4012i, TASKalfa 3212i, TASKalfa 3011i, TASKalfa 3511i, TASKalfa 2201, TASKalfa 2200, TASKalfa 1801, TASKalfa 1800, TASKalfa 2321, TASKalfa 2321/A, TASKalfa 2320, TASKalfa 2021, TASKalfa 2020, TASKalfa Pro 15000c/B, ECOSYS M3660idn, ECOSYS M3655idn, ECOSYS M3655idn/A, ECOSYS M3645idn, ECOSYS M3145idn, ECOSYS M3645dn, ECOSYS M3145dn, ECOSYS M3860idn, ECOSYS M3860idnf
Color printer:
ECOSYS P8060cdn, ECOSYS PA2100cwx, ECOSYS PA2100cx
Monochrome printers:
ECOSYS PA6000x, ECOSYS PA5500x, ECOSYS PA5000x, ECOSYS PA4500x, ECOSYS P40050x, ECOSYS P4060dn
【Products affected by this vulnerability】
For more information on how this vulnerability affects products, please contact your local distributor where you purchased the product.
