Details of VAR-201306-0343

ID

VAR-201306-0343

CVE

CVE-2013-4614

TITLE

plural Canon Vulnerability in collecting important information in printers

Trust: 0.8

sources: JVNDB: JVNDB-2013-003112

DESCRIPTION

English/pages_MacUS/wls_set_content.html on the Canon MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, and MX922 printers shows the Wi-Fi PSK passphrase in cleartext, which allows physically proximate attackers to obtain sensitive information by reading the screen of an unattended workstation. Canon Printer is a printer developed by Canon. Multiple Canon Printers are prone to an information-disclosure vulnerability. A vulnerability exists in English/pages_MacUS/wls_set_content.html in Canon printers due to the program displaying Wi-Fi PSK passwords in clear text. Vulnerabilities exist in the following models: MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920, MX922. The below 3 issues have been tested and verified working on the following Canon Printer models (May affect more, but this is all I was able to test against): MG3100, MG5300, MG6100, MP495, MX340, MX870, MX890, MX920 #1 (CVE-2013-4613): Canon printers do not require a password for the administrative interfaces by default. Unauthorized users on the network may configure the printer. If the printer is exposed to the public internet, anonymous users may make configuration changes as well. This should be corrected by requiring a password, even if only a default, but should recommend users to change it upon initial setup of the device. #2 (CVE-2013-4614): The administrative interface on these printers allow a user to enter a WEP/WPA/WPA2 pre-shared key. Once a key is entered, when a user browses the configuration page again, they can view the current password in clear-text. Once a password is configured, it should not allow the user to read it again. If the user wants to change the password, they should be required to enter a new one, which then overwrites the old one. #3 (CVE-2013-4615): There is a denial of service condition in the administrative interface on the devices. Using specially crafted HTTP requests, it is possible to cause the device to no longer respond. This requires the device to be turned off, and then back on again, to which the printer will display a message about not being properly turned off, on the display (if model has a display). I have disclosed all 3 of these issues to Canon, and unfortunately they do not feel it is necessary to fix them (In all fairness, they're not super high severity). More details, along with PoC and Metasploit modules are available here: * http://www.mattandreko.com/2013/06/canon-y-u-no-security.html* Timeline: May 27, 2013: Initial Email to vendor's support May 28, 2013: Vendor support emailed for additional details May 28, 2013: Sent a proof-of-concept exploit for the DoS vulnerability to vendor May 30, 2013: Vendor escalated issue internally June 4, 2013: Vendor notification that issue has been escalated to manufacturer June 14, 2013: Vendor notification that they will not fix issues June 18, 2013: Public Disclosure

Trust: 2.61

sources: NVD: CVE-2013-4614 // JVNDB: JVNDB-2013-003112 // CNVD: CNVD-2013-07717 // BID: 60601 // VULHUB: VHN-64616 // PACKETSTORM: 122073

IOT TAXONOMY

category:

['Network device']

sub_category:

Trust: 0.6

sources: CNVD: CNVD-2013-07717

AFFECTED PRODUCTS

vendor:	canon	model:	mx870 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mp495 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mg6100 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx922 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mp340 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx890 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mg3100 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mx920 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	mg5300 printer	scope:	eq	version:	-	Trust: 1.6
vendor:	canon	model:	pixma mp495	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx340	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx920	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixma mx922	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg3130	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg5330	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mg6130	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mx870	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	pixus mx893	scope:	-	version:	-	Trust: 0.8
vendor:	canon	model:	printer mg3100	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mg5300	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mg6100	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mp495	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx340	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx870	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx890	scope:	-	version:	-	Trust: 0.6
vendor:	canon	model:	printer mx920	scope:	-	version:	-	Trust: 0.6

sources: CNVD: CNVD-2013-07717 // JVNDB: JVNDB-2013-003112 // CNNVD: CNNVD-201306-389 // NVD: CVE-2013-4614

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov:	CVE-2013-4614
value:	LOW
Trust: 1.0
NVD:	CVE-2013-4614
value:	LOW
Trust: 0.8
CNVD:	CNVD-2013-07717
value:	MEDIUM
Trust: 0.6
CNNVD:	CNNVD-201306-389
value:	LOW
Trust: 0.6
VULHUB:	VHN-64616
value:	LOW
Trust: 0.1

nvd@nist.gov:	CVE-2013-4614
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 1.8
CNVD:	CNVD-2013-07717
severity:	MEDIUM
baseScore:	5.0
vectorString:	AV:N/AC:L/AU:N/C:P/I:N/A:N
accessVector:	NETWORK
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	10.0
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.6
VULHUB:	VHN-64616
severity:	LOW
baseScore:	2.1
vectorString:	AV:L/AC:L/AU:N/C:P/I:N/A:N
accessVector:	LOCAL
accessComplexity:	LOW
authentication:	NONE
confidentialityImpact:	PARTIAL
integrityImpact:	NONE
availabilityImpact:	NONE
exploitabilityScore:	3.9
impactScore:	2.9
acInsufInfo:	NONE
obtainAllPrivilege:	NONE
obtainUserPrivilege:	NONE
obtainOtherPrivilege:	NONE
userInteractionRequired:	NONE
version:	2.0
Trust: 0.1

sources: CNVD: CNVD-2013-07717 // VULHUB: VHN-64616 // JVNDB: JVNDB-2013-003112 // CNNVD: CNNVD-201306-389 // NVD: CVE-2013-4614

PROBLEMTYPE DATA

problemtype:

CWE-255

Trust: 1.9

sources: VULHUB: VHN-64616 // JVNDB: JVNDB-2013-003112 // NVD: CVE-2013-4614

THREAT TYPE

local

Trust: 0.6

sources: CNNVD: CNNVD-201306-389

TYPE

trust management

Trust: 0.6

sources: CNNVD: CNNVD-201306-389

CONFIGURATIONS

sources: JVNDB: JVNDB-2013-003112

PATCH

title:

PIXUS 商品一覧

url:

http://cweb.canon.jp/pixus/lineup/

Trust: 0.8

sources: JVNDB: JVNDB-2013-003112

EXTERNAL IDS

db:	NVD	id:	CVE-2013-4614	Trust: 3.5
db:	BID	id:	60601	Trust: 1.6
db:	JVNDB	id:	JVNDB-2013-003112	Trust: 0.8
db:	CNNVD	id:	CNNVD-201306-389	Trust: 0.7
db:	CNVD	id:	CNVD-2013-07717	Trust: 0.6
db:	FULLDISC	id:	20130618 CANON WIRELESS PRINTER DISCLOSURE & DOS	Trust: 0.6
db:	VULHUB	id:	VHN-64616	Trust: 0.1
db:	PACKETSTORM	id:	122073	Trust: 0.1

sources: CNVD: CNVD-2013-07717 // VULHUB: VHN-64616 // BID: 60601 // JVNDB: JVNDB-2013-003112 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-389 // NVD: CVE-2013-4614

REFERENCES

url:	http://www.mattandreko.com/2013/06/canon-y-u-no-security.html	Trust: 2.8
url:	https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/scanner/http/canon_wireless.rb	Trust: 2.5
url:	http://archives.neohapsis.com/archives/fulldisclosure/2013-06/0146.html	Trust: 1.7
url:	http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2013-4614	Trust: 0.8
url:	http://web.nvd.nist.gov/view/vuln/detail?vulnid=cve-2013-4614	Trust: 0.8
url:	http://seclists.org/fulldisclosure/2013/jun/145	Trust: 0.6
url:	http://www.securityfocus.com/bid/60601	Trust: 0.6
url:	http://www.canon.com/	Trust: 0.3
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4614	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4615	Trust: 0.1
url:	http://www.mattandreko.com/2013/06/canon-y-u-no-security.html*	Trust: 0.1
url:	https://nvd.nist.gov/vuln/detail/cve-2013-4613	Trust: 0.1

sources: CNVD: CNVD-2013-07717 // VULHUB: VHN-64616 // BID: 60601 // JVNDB: JVNDB-2013-003112 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-389 // NVD: CVE-2013-4614

CREDITS

Matt Andreko

Trust: 1.0

sources: BID: 60601 // PACKETSTORM: 122073 // CNNVD: CNNVD-201306-389

SOURCES

db:	CNVD	id:	CNVD-2013-07717
db:	VULHUB	id:	VHN-64616
db:	BID	id:	60601
db:	JVNDB	id:	JVNDB-2013-003112
db:	PACKETSTORM	id:	122073
db:	CNNVD	id:	CNNVD-201306-389
db:	NVD	id:	CVE-2013-4614

LAST UPDATE DATE

2025-04-11T22:48:46.164000+00:00

SOURCES UPDATE DATE

db:	CNVD	id:	CNVD-2013-07717	date:	2013-08-28T00:00:00
db:	VULHUB	id:	VHN-64616	date:	2013-06-24T00:00:00
db:	BID	id:	60601	date:	2013-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2013-003112	date:	2013-06-25T00:00:00
db:	CNNVD	id:	CNNVD-201306-389	date:	2013-09-11T00:00:00
db:	NVD	id:	CVE-2013-4614	date:	2025-04-11T00:51:21.963

SOURCES RELEASE DATE

db:	CNVD	id:	CNVD-2013-07717	date:	2013-06-21T00:00:00
db:	VULHUB	id:	VHN-64616	date:	2013-06-21T00:00:00
db:	BID	id:	60601	date:	2013-06-18T00:00:00
db:	JVNDB	id:	JVNDB-2013-003112	date:	2013-06-25T00:00:00
db:	PACKETSTORM	id:	122073	date:	2013-06-18T14:23:23
db:	CNNVD	id:	CNNVD-201306-389	date:	2013-06-18T00:00:00
db:	NVD	id:	CVE-2013-4614	date:	2013-06-21T21:55:01.033