CVE-2023-6233

Canon imageCLASS MF753Cdw SLP service-url Stack-based Buffer Overflow Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in SLP attribute request process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*: Satera LBP670C Series/Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 and earlier sold in US. i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series firmware v03.07 and earlier sold in Europe.

Desbordamiento de búfer en el proceso de solicitud de atributos SLP de impresoras multifunción de oficina e impresoras láser (*) que puede permitir que un atacante en el segmento de red haga que el producto afectado no responda o ejecute código arbitrario.*: firmware Satera LBP670C Series/Satera MF750C Series v03 .07 y anteriores vendidos en Japón. Color imageCLASS LBP674C/Color imageCLASS X LBP1333C/Color imageCLASS MF750C Series/Color imageCLASS X MF1333C Series firmware v03.07 y anteriores vendidos en EE. UU. Firmware i-SENSYS LBP673Cdw/C1333P/i-SENSYS MF750C Series/C1333i Series v03.07 y anteriores vendidos en Europa.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Canon imageCLASS MF753Cdw printers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of the service-url parameter provided to the Service Location Protocol endpoint. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.

*Credits: @quangnh89 and @ExLuck99

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2023-11-21 CVE Reserved
2024-02-06 CVE Published
2024-05-15 EPSS Updated
2024-08-02 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://canon.jp/support/support-info/240205vulnerability-response	2024-02-13
https://psirt.canon/advisory-information/cp2024-001	2024-02-13
https://www.canon-europe.com/support/product-security-latest-news	2024-02-13
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers	2024-02-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Canon Search vendor "Canon"	Mf755cdw Firmware Search vendor "Canon" for product "Mf755cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf755cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf755cdw Search vendor "Canon" for product "Mf755cdw"	-	-	Safe
Canon Search vendor "Canon"	Mf753cdw Firmware Search vendor "Canon" for product "Mf753cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf753cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf753cdw Search vendor "Canon" for product "Mf753cdw"	-	-	Safe
Canon Search vendor "Canon"	Mf751cdw Firmware Search vendor "Canon" for product "Mf751cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf751cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf751cdw Search vendor "Canon" for product "Mf751cdw"	-	-	Safe
Canon Search vendor "Canon"	Lbp674c Firmware Search vendor "Canon" for product "Lbp674c Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp674c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp674c Search vendor "Canon" for product "Lbp674c"	-	-	Safe
Canon Search vendor "Canon"	Lbp672c Firmware Search vendor "Canon" for product "Lbp672c Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp672c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp672c Search vendor "Canon" for product "Lbp672c"	-	-	Safe
Canon Search vendor "Canon"	Lbp671c Firmware Search vendor "Canon" for product "Lbp671c Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp671c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp671c Search vendor "Canon" for product "Lbp671c"	-	-	Safe
Canon Search vendor "Canon"	Mf1238 Ii Firmware Search vendor "Canon" for product "Mf1238 Ii Firmware"	<= 03.07 Search vendor "Canon" for product "Mf1238 Ii Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf1238 Ii Search vendor "Canon" for product "Mf1238 Ii"	-	-	Safe
Canon Search vendor "Canon"	Mf1333c Firmware Search vendor "Canon" for product "Mf1333c Firmware"	<= 03.07 Search vendor "Canon" for product "Mf1333c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf1333c Search vendor "Canon" for product "Mf1333c"	-	-	Safe
Canon Search vendor "Canon"	Mf1643i Ii Firmware Search vendor "Canon" for product "Mf1643i Ii Firmware"	<= 03.07 Search vendor "Canon" for product "Mf1643i Ii Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf1643i Ii Search vendor "Canon" for product "Mf1643i Ii"	-	-	Safe
Canon Search vendor "Canon"	Mf1643if Ii Firmware Search vendor "Canon" for product "Mf1643if Ii Firmware"	<= 03.07 Search vendor "Canon" for product "Mf1643if Ii Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf1643if Ii Search vendor "Canon" for product "Mf1643if Ii"	-	-	Safe
Canon Search vendor "Canon"	Mf275dw Firmware Search vendor "Canon" for product "Mf275dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf275dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf275dw Search vendor "Canon" for product "Mf275dw"	-	-	Safe
Canon Search vendor "Canon"	Mf273dw Firmware Search vendor "Canon" for product "Mf273dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf273dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf273dw Search vendor "Canon" for product "Mf273dw"	-	-	Safe
Canon Search vendor "Canon"	Mf272dw Firmware Search vendor "Canon" for product "Mf272dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf272dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf272dw Search vendor "Canon" for product "Mf272dw"	-	-	Safe
Canon Search vendor "Canon"	Mf455dw Firmware Search vendor "Canon" for product "Mf455dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf455dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf455dw Search vendor "Canon" for product "Mf455dw"	-	-	Safe
Canon Search vendor "Canon"	Mf453dw Firmware Search vendor "Canon" for product "Mf453dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf453dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf453dw Search vendor "Canon" for product "Mf453dw"	-	-	Safe
Canon Search vendor "Canon"	Mf452dw Firmware Search vendor "Canon" for product "Mf452dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf452dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf452dw Search vendor "Canon" for product "Mf452dw"	-	-	Safe
Canon Search vendor "Canon"	Mf451dw Firmware Search vendor "Canon" for product "Mf451dw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf451dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf451dw Search vendor "Canon" for product "Mf451dw"	-	-	Safe
Canon Search vendor "Canon"	Lbp122dw Firmware Search vendor "Canon" for product "Lbp122dw Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp122dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp122dw Search vendor "Canon" for product "Lbp122dw"	-	-	Safe
Canon Search vendor "Canon"	Lbp1238 Ii Firmware Search vendor "Canon" for product "Lbp1238 Ii Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp1238 Ii Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp1238 Ii Search vendor "Canon" for product "Lbp1238 Ii"	-	-	Safe
Canon Search vendor "Canon"	Lbp1333c Firmware Search vendor "Canon" for product "Lbp1333c Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp1333c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp1333c Search vendor "Canon" for product "Lbp1333c"	-	-	Safe
Canon Search vendor "Canon"	Lbp237dw Firmware Search vendor "Canon" for product "Lbp237dw Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp237dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp237dw Search vendor "Canon" for product "Lbp237dw"	-	-	Safe
Canon Search vendor "Canon"	Lbp236dw Firmware Search vendor "Canon" for product "Lbp236dw Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp236dw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp236dw Search vendor "Canon" for product "Lbp236dw"	-	-	Safe
Canon Search vendor "Canon"	Lbp674cdw Firmware Search vendor "Canon" for product "Lbp674cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp674cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp674cdw Search vendor "Canon" for product "Lbp674cdw"	-	-	Safe
Canon Search vendor "Canon"	I-sensys Mf754cdw Firmware Search vendor "Canon" for product "I-sensys Mf754cdw Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys Mf754cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys Mf754cdw Search vendor "Canon" for product "I-sensys Mf754cdw"	-	-	Safe
Canon Search vendor "Canon"	I-sensys X C1333if Firmware Search vendor "Canon" for product "I-sensys X C1333if Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys X C1333if Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys X C1333if Search vendor "Canon" for product "I-sensys X C1333if"	-	-	Safe
Canon Search vendor "Canon"	I-sensys Lbp673cdw Firmware Search vendor "Canon" for product "I-sensys Lbp673cdw Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys Lbp673cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys Lbp673cdw Search vendor "Canon" for product "I-sensys Lbp673cdw"	-	-	Safe
Canon Search vendor "Canon"	I-sensys Mf752cdw Firmware Search vendor "Canon" for product "I-sensys Mf752cdw Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys Mf752cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys Mf752cdw Search vendor "Canon" for product "I-sensys Mf752cdw"	-	-	Safe
Canon Search vendor "Canon"	I-sensys X C1333i Firmware Search vendor "Canon" for product "I-sensys X C1333i Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys X C1333i Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys X C1333i Search vendor "Canon" for product "I-sensys X C1333i"	-	-	Safe
Canon Search vendor "Canon"	I-sensys X C1333p Firmware Search vendor "Canon" for product "I-sensys X C1333p Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys X C1333p Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys X C1333p Search vendor "Canon" for product "I-sensys X C1333p"	-	-	Safe