Wirth Consulting

For in-depth print and business-process workflow research and insight

Toshiba Tec Warns of Security Vulnerabilities in Several e-STUDIO MFPs

by ·

Toshiba Tec of Japan today reported that some security vulnerabilities have been identified in several of its copier/MFPs, noting that the vulnerabilities however don’t result in the leakage of information to outside parties.

The MFPs consist of the e-STUDIO 908/1058/1208, which are available in North America only,

The vulnerabilities consist of:

  1. Some device web pages may cause stack-based buffer overflow.
    Vulnerability number: CVE-2024-28038
  2. Permission is incorrectly assigned for the file in which some sensitive information is stored and they can be viewed by exploiting another vulnerability.
    Vulnerability number: CVE-2024-28955
  3. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability. Vulnerability number: CVE-2024-29146
  4. Some sensitive information is stored as plain text and can be viewed by exploiting another vulnerability.
    Vulnerability number: CVE-2024-29978
  5. Some sensitive information can be decrypted by exploiting another vulnerability.
    Vulnerability number: CVE-2024-32151
  6. Some device Web pages may cause path traversal attacks.
    Vulnerability number: CVE-2024-33605
  7. Some device Web pages have improper access control authority.
    Vulnerability number: CVE-2024-33610
  8. Improper credential information for executing some device feature may cause reference to internal information in the device.
    Vulnerability number: CVE-2024-33616
  9. Some device Web pages may send credential information stored in the device unintentionally. (This may be used by attackers who already hacked the device and obtained its authority.)
    Vulnerability number: CVE-2024-34162
  10. Credential information for executing some device features are hard-coded and can be exploited by attackers who improperly obtained the credential information.
    Vulnerability number: CVE-2024-35244
  11. Credential information for accessing external sites are hard-coded and can be exploited by attackers who improperly obtained the credential information.
    Vulnerability number: CVE-2024-36248
  12. Some device Web pages may cause cross-site scripting attacks.
    Vulnerability number: CVE-2024-36249
  13. Some device Web pages may cause device hang-up due to out-of-bounds memory reference.
    Vulnerability number: CVE-2024-36251
  14. Some device Web pages may cause device hang-up due to out-of-bounds memory reference.
    Vulnerability number: CVE-2024-36254

Toshiba recommends that owners of these MFPs contact their service company to update the main unit software.

It also recommends that when connecting MFPs to the Internet, connect to a network protected through a firewall. Additionally, customers should enable the user authentication function and manage your passwords appropriately.