Details of VAR-201306-0342

ID

VAR-201306-0342

CVE

CVE-2013-4613

TITLE

plural Canon Vulnerability to change settings in printer management interface

Trust: 0.8

sources: JVNDB: JVNDB-2013-003111

DESCRIPTION

The default configuration of the administrative interface on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers does not require authentication, which allows remote attackers to modify the configuration by visiting the Advanced page. NOTE: the vendor has apparently responded by stating "for user convenience, the default setting does not require a password. However, if a user has a particular concern about third parties accessing the user's home printer, the default setting can be changed to add a password.". Canon Printer is a printer developed by Canon. If the printer is connected to a public Internet network, anonymous users are allowed to modify the configuration. Exploiting this issue can allow a remote attacker to gain access and perform unauthorized configuration changes on the affected device. This may aid in further attacks. Vulnerabilities exist in the following models: MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, MX922. This should be corrected by requiring a password, even if only a default, but should recommend users to change it upon initial setup of the device. #2 (CVE-2013-4614): The administrative interface on these printers allow a user to enter a WEP/WPA/WPA2 pre-shared key. Once a key is entered, when a user browses the configuration page again, they can view the current password in clear-text. Once a password is configured, it should not allow the user to read it again. If the user wants to change the password, they should be required to enter a new one, which then overwrites the old one. #3 (CVE-2013-4615): There is a denial of service condition in the administrative interface on the devices. Using specially crafted HTTP requests, it is possible to cause the device to no longer respond. This requires the device to be turned off, and then back on again, to which the printer will display a message about not being properly turned off, on the display (if model has a display). I have disclosed all 3 of these issues to Canon, and unfortunately they do not feel it is necessary to fix them (In all fairness, they're not super high severity). More details, along with PoC and Metasploit modules are available here: * http://www.mattandreko.com/2013/06/canon-y-u-no-security.html* Timeline: May 27, 2013: Initial Email to vendor's support May 28, 2013: Vendor support emailed for additional details May 28, 2013: Sent a proof-of-concept exploit for the DoS vulnerability to vendor May 30, 2013: Vendor escalated issue internally June 4, 2013: Vendor notification that issue has been escalated to manufacturer June 14, 2013: Vendor notification that they will not fix issues June 18, 2013: Public Disclosure

Trust: 2.61

sources: NVD: CVE-2013-4613 // JVNDB: JVNDB-2013-003111 // CNVD: CNVD-2013-07716 // BID: 60612 // VULHUB: VHN-64615 // PACKETSTORM: 122073

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-07716

AFFECTED PRODUCTS

vendor:	canon	model:	mg3100 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx870 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mp495 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx922 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mp340 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx890 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mg6100 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx920 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mg5300 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	pixma mp495	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx340	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx920	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx922	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg3130	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg5330	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg6130	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mx870	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mx893	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	printer mg3100	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mg5300	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mg6100	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mp495	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx340	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx870	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx890	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx920	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2013-07716 // JVNDB: JVNDB-2013-003111 // CNNVD: CNNVD-201306-388 // NVD: CVE-2013-4613

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4613
value:	HIGH
Trust: 1.0
NVD:	CVE-2013-4613
value:	HIGH
Trust: 0.8
CNVD:	CNVD-2013-07716
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201306-388
value:	HIGH
Trust: 0.6
VULHUB:	VHN-64615
value:	HIGH
Trust: 0.1

nvd@nist.gov:	CVE-2013-4613
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-07716
severity:	MEDIUM
baseScore:	6.8
vectorString:	AV:N/AC:M/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	MEDIUM
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	8.6
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-64615
severity:	HIGH
baseScore:	7.5
vectorString:	AV:N/AC:L/AU:N/C:P/I:P/A:P
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	PARTIAL
availabilityImpact:	PARTIAL
exploitabilityScore:	10.0
impactScore:	6.4
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-07716 // VULHUB: VHN-64615 // JVNDB: JVNDB-2013-003111 // CNNVD: CNNVD-201306-388 // NVD: CVE-2013-4613

PROBLEMTYPE DATA

problemtype:

CWE-264

Trust: 1.9

sources: VULHUB: VHN-64615 // JVNDB: JVNDB-2013-003111 // NVD: CVE-2013-4613

THREAT TYPE

remote

Trust: 0.6

sources: CNNVD: CNNVD-201306-388

TYPE

permissions and access control

Trust: 0.6

sources: CNNVD: CNNVD-201306-388

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003111

EXPLOIT AVAILABILITY

sources: VULHUB: VHN-64615

PATCH

title:

PIXUS 商品一覧

url:

http://cweb.canon.jp/pixus/lineup/

Trust: 0.8

sources: JVNDB: JVNDB-2013-003111

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4613	Trust: 3.5
db:	BID	id:	60612	Trust: 1.6
db:	JVNDB	id:	JVNDB-2013-003111	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-388	Trust: 0.7
db:	CNVD	id:	CNVD-2013-07716	Trust: 0.6
db:	FULLDISC	id:	20130618 CANON WIRELESS PRINTER DISCLOSURE & DOS	Trust: 0.6
db:	PACKETSTORM	id:	122073	Trust: 0.2
db:	VULHUB	id:	VHN-64615	Trust: 0.1

sources: CNVD: CNVD-2013-07716 // VULHUB: VHN-64615 // BID: 60612 // JVNDB: JVNDB-2013-003111 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-388 // NVD: CVE-2013-4613

REFERENCES

url:	http://www.mattandreko.com/2013/06/canon-y-u-no-security.html	Trust: 2.5
url:	http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0146.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4613	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4613	Trust: 0.8
url:	https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/dos/http/canon_wireless_printer.rb	Trust: 0.8
url:	http://seclists.org/fulldisclosure/2013/jun/145	Trust: 0.6
url:	http://www.securityfocus.com/bid/60612	Trust: 0.6
url:	http://www.canon.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4614	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4615	Trust: 0.1
url:	http://www.mattandreko.com/2013/06/canon-y-u-no-security.html*	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4613	Trust: 0.1

sources: CNVD: CNVD-2013-07716 // VULHUB: VHN-64615 // BID: 60612 // JVNDB: JVNDB-2013-003111 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-388 // NVD: CVE-2013-4613

CREDITS

Matt Andreko

Trust: 1.0

sources: BID: 60612 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-388

SOURCES

db:	CNVD	id:	CNVD-2013-07716
db:	VULHUB	id:	VHN-64615
db:	BID	id:	60612
db:	JVNDB	id:	JVNDB-2013-003111
db:	PACKETSTORM	id:	122073
db:	CNNVD	id:	CNNVD-201306-388
db:	NVD	id:	CVE-2013-4613

LAST UPDATE DATE

2025-04-11T22:48:46.202000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-07716	date:	2013-06-21T00:00:00
db:	VULHUB	id:	VHN-64615	date:	2013-06-24T00:00:00
db:	BID	id:	60612	date:	2013-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2013-003111	date:	2013-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201306-388	date:	2013-06-24T00:00:00
db:	NVD	id:	CVE-2013-4613	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-07716	date:	2013-06-21T00:00:00
db:	VULHUB	id:	VHN-64615	date:	2013-06-21T00:00:00
db:	BID	id:	60612	date:	2013-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2013-003111	date:	2013-06-25T00:00:00
db:	PACKETSTORM	id:	122073	date:	2013-06-18T14:23:23
db:	CNNVD	id:	CNNVD-201306-388	date:	2013-06-24T00:00:00
db:	NVD	id:	CVE-2013-4613	date:	2013-06-21T21:55:01.007