Canon has released crucial software updates to mitigate seven critical-severity vulnerabilities affecting various small office printer models. These buffer overflow bugs, identified with CVEs ranging from 2023-6229 to 2024-0244, have a high CVSS score of 9.8. The vulnerabilities can be exploited over the network, enabling remote code execution or causing the affected product to become unresponsive. Canon warns that if a printer is directly connected to the internet without using a router, an unauthenticated remote attacker may execute arbitrary code or initiate a denial-of-service (DoS) attack.
The impacted printer models, including i-SENSYS and imageCLASS series, vary slightly based on regions such as Europe, North America, and Japan. All vulnerabilities affect firmware versions 03.07 and earlier. Canon advises users to install the latest firmware available for the affected models, even though there have been no reported instances of these vulnerabilities being exploited. To enhance security, Canon recommends restricting access to the printers remotely by placing them behind firewalls or routers and assigning private IP addresses. The vulnerabilities were reported through Trend Micro’s Zero Day Initiative (ZDI).
Reference:
