// For flags

CVE-2023-6233

Canon imageCLASS MF753Cdw SLP service-url Stack-based Buffer Overflow Remote Code Execution Vulnerability

Severity Score

9.8
*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

0
*Multiple Sources

Exploited in Wild

-
*KEV

Decision

-
*SSVC
Descriptions

Buffer overflow in SLP attribute request process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.

Desbordamiento de búfer en el proceso de solicitud de atributos SLP de impresoras multifunción de oficina e impresoras láser (*) que puede permitir que un atacante en el segmento de red haga que el producto afectado no responda o ejecute código arbitrario.*: firmware Satera LBP670C Series/Satera MF750C Series v03 .07 y anteriores vendidos en Japón. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 y anteriores vendidos en EE. UU. Firmware i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series v03.07 y anteriores vendidos en Europa.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Canon imageCLASS MF753Cdw printers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the service-url parameter provided to the Service Location Protocol endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.

*Credits: @quangnh89 and @ExLuck99
CVSS Scores
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High
* Common Vulnerability Scoring System
SSVC
  • Decision:-
Exploitation
-
Automatable
-
Tech. Impact
-
* Organization's Worst-case Scenario
Timeline
  • 2023-11-21 CVE Reserved
  • 2024-02-06 CVE Published
  • 2024-05-15 EPSS Updated
  • 2024-08-02 CVE Updated
  • ---------- Exploited in Wild
  • ---------- KEV Due Date
  • ---------- First Exploit
CWE
  • CWE-787: Out-of-bounds Write
CAPEC
Affected Vendors, Products, and Versions
Vendor Product Version Other Status
Vendor Product Version Other Status <-- --> Vendor Product Version Other Status
Canon
Search vendor "Canon"
Mf755cdw Firmware
Search vendor "Canon" for product "Mf755cdw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf755cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf755cdw
Search vendor "Canon" for product "Mf755cdw"
--
Safe
Canon
Search vendor "Canon"
Mf753cdw Firmware
Search vendor "Canon" for product "Mf753cdw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf753cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf753cdw
Search vendor "Canon" for product "Mf753cdw"
--
Safe
Canon
Search vendor "Canon"
Mf751cdw Firmware
Search vendor "Canon" for product "Mf751cdw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf751cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf751cdw
Search vendor "Canon" for product "Mf751cdw"
--
Safe
Canon
Search vendor "Canon"
Lbp674c Firmware
Search vendor "Canon" for product "Lbp674c Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp674c Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp674c
Search vendor "Canon" for product "Lbp674c"
--
Safe
Canon
Search vendor "Canon"
Lbp672c Firmware
Search vendor "Canon" for product "Lbp672c Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp672c Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp672c
Search vendor "Canon" for product "Lbp672c"
--
Safe
Canon
Search vendor "Canon"
Lbp671c Firmware
Search vendor "Canon" for product "Lbp671c Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp671c Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp671c
Search vendor "Canon" for product "Lbp671c"
--
Safe
Canon
Search vendor "Canon"
Mf1238 Ii Firmware
Search vendor "Canon" for product "Mf1238 Ii Firmware"
<= 03.07
Search vendor "Canon" for product "Mf1238 Ii Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf1238 Ii
Search vendor "Canon" for product "Mf1238 Ii"
--
Safe
Canon
Search vendor "Canon"
Mf1333c Firmware
Search vendor "Canon" for product "Mf1333c Firmware"
<= 03.07
Search vendor "Canon" for product "Mf1333c Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf1333c
Search vendor "Canon" for product "Mf1333c"
--
Safe
Canon
Search vendor "Canon"
Mf1643i Ii Firmware
Search vendor "Canon" for product "Mf1643i Ii Firmware"
<= 03.07
Search vendor "Canon" for product "Mf1643i Ii Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf1643i Ii
Search vendor "Canon" for product "Mf1643i Ii"
--
Safe
Canon
Search vendor "Canon"
Mf1643if Ii Firmware
Search vendor "Canon" for product "Mf1643if Ii Firmware"
<= 03.07
Search vendor "Canon" for product "Mf1643if Ii Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf1643if Ii
Search vendor "Canon" for product "Mf1643if Ii"
--
Safe
Canon
Search vendor "Canon"
Mf275dw Firmware
Search vendor "Canon" for product "Mf275dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf275dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf275dw
Search vendor "Canon" for product "Mf275dw"
--
Safe
Canon
Search vendor "Canon"
Mf273dw Firmware
Search vendor "Canon" for product "Mf273dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf273dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf273dw
Search vendor "Canon" for product "Mf273dw"
--
Safe
Canon
Search vendor "Canon"
Mf272dw Firmware
Search vendor "Canon" for product "Mf272dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf272dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf272dw
Search vendor "Canon" for product "Mf272dw"
--
Safe
Canon
Search vendor "Canon"
Mf455dw Firmware
Search vendor "Canon" for product "Mf455dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf455dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf455dw
Search vendor "Canon" for product "Mf455dw"
--
Safe
Canon
Search vendor "Canon"
Mf453dw Firmware
Search vendor "Canon" for product "Mf453dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf453dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf453dw
Search vendor "Canon" for product "Mf453dw"
--
Safe
Canon
Search vendor "Canon"
Mf452dw Firmware
Search vendor "Canon" for product "Mf452dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf452dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf452dw
Search vendor "Canon" for product "Mf452dw"
--
Safe
Canon
Search vendor "Canon"
Mf451dw Firmware
Search vendor "Canon" for product "Mf451dw Firmware"
<= 03.07
Search vendor "Canon" for product "Mf451dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Mf451dw
Search vendor "Canon" for product "Mf451dw"
--
Safe
Canon
Search vendor "Canon"
Lbp122dw Firmware
Search vendor "Canon" for product "Lbp122dw Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp122dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp122dw
Search vendor "Canon" for product "Lbp122dw"
--
Safe
Canon
Search vendor "Canon"
Lbp1238 Ii Firmware
Search vendor "Canon" for product "Lbp1238 Ii Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp1238 Ii Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp1238 Ii
Search vendor "Canon" for product "Lbp1238 Ii"
--
Safe
Canon
Search vendor "Canon"
Lbp1333c Firmware
Search vendor "Canon" for product "Lbp1333c Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp1333c Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp1333c
Search vendor "Canon" for product "Lbp1333c"
--
Safe
Canon
Search vendor "Canon"
Lbp237dw Firmware
Search vendor "Canon" for product "Lbp237dw Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp237dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp237dw
Search vendor "Canon" for product "Lbp237dw"
--
Safe
Canon
Search vendor "Canon"
Lbp236dw Firmware
Search vendor "Canon" for product "Lbp236dw Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp236dw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp236dw
Search vendor "Canon" for product "Lbp236dw"
--
Safe
Canon
Search vendor "Canon"
Lbp674cdw Firmware
Search vendor "Canon" for product "Lbp674cdw Firmware"
<= 03.07
Search vendor "Canon" for product "Lbp674cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
Lbp674cdw
Search vendor "Canon" for product "Lbp674cdw"
--
Safe
Canon
Search vendor "Canon"
I-sensys Mf754cdw Firmware
Search vendor "Canon" for product "I-sensys Mf754cdw Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys Mf754cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys Mf754cdw
Search vendor "Canon" for product "I-sensys Mf754cdw"
--
Safe
Canon
Search vendor "Canon"
I-sensys X C1333if Firmware
Search vendor "Canon" for product "I-sensys X C1333if Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys X C1333if Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys X C1333if
Search vendor "Canon" for product "I-sensys X C1333if"
--
Safe
Canon
Search vendor "Canon"
I-sensys Lbp673cdw Firmware
Search vendor "Canon" for product "I-sensys Lbp673cdw Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys Lbp673cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys Lbp673cdw
Search vendor "Canon" for product "I-sensys Lbp673cdw"
--
Safe
Canon
Search vendor "Canon"
I-sensys Mf752cdw Firmware
Search vendor "Canon" for product "I-sensys Mf752cdw Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys Mf752cdw Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys Mf752cdw
Search vendor "Canon" for product "I-sensys Mf752cdw"
--
Safe
Canon
Search vendor "Canon"
I-sensys X C1333i Firmware
Search vendor "Canon" for product "I-sensys X C1333i Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys X C1333i Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys X C1333i
Search vendor "Canon" for product "I-sensys X C1333i"
--
Safe
Canon
Search vendor "Canon"
I-sensys X C1333p Firmware
Search vendor "Canon" for product "I-sensys X C1333p Firmware"
<= 03.07
Search vendor "Canon" for product "I-sensys X C1333p Firmware" and version " <= 03.07"
-
Affected
in Canon
Search vendor "Canon"
I-sensys X C1333p
Search vendor "Canon" for product "I-sensys X C1333p"
--
Safe