CVE-2024-0244

Canon imageCLASS MF753Cdw Fax Job Heap-Based Buffer Overflow Remote Code Execution Vulnerability

Severity Score

9.8

*CVSS v3.1

Exploit Likelihood

*EPSS

Affected Versions

*CPE

Public Exploits

*Multiple Sources

Exploited in Wild

*KEV

Decision

*SSVC

Descriptions

Buffer overflow in CPCA PCFAX number process of Office Multifunction Printers and Laser Printers(*) which may allow an attacker on the network segment to trigger the affected product being unresponsive or to execute arbitrary code.*:Satera MF750C Series firmware v03.07 and earlier sold in Japan. Color imageCLASS MF750C Series/Color imageCLASS X MF1333C firmware v03.07 and earlier sold in US. i-SENSYS MF754Cdw/C1333iF firmware v03.07 and earlier sold in Europe.

Desbordamiento de búfer en el proceso de número CPCA PCFAX de impresoras multifunción de oficina e impresoras láser (*), lo que puede permitir que un atacante en el segmento de red haga que el producto afectado no responda o ejecute código arbitrario.*: Firmware de la serie Satera MF750C v03.07 y anteriores vendido en Japón. Serie Color imageCLASS MF750C/Firmware Color imageCLASS X MF1333C v03.07 y anteriores vendidos en EE. UU. Firmware i-SENSYS MF754Cdw/C1333iF v03.07 y anteriores vendidos en Europa.

This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Canon imageCLASS MF753Cdw printers. Authentication is not required to exploit this vulnerability.
The specific flaw exists within the handling of fax jobs. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length heap-based buffer. An attacker can leverage this vulnerability to execute code in the context of the device.

*Credits: Connor Ford (@ByteInsight) of Nettitude

Attack Vector

Network

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

Attack Vector

Adjacent

Attack Complexity

Low

Privileges Required

None

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

High

* Common Vulnerability Scoring System

SSVC

Decision:-

Exploitation

Automatable

Tech. Impact

* Organization's Worst-case Scenario

Timeline

2024-01-05 CVE Reserved
2024-02-06 CVE Published
2024-05-15 EPSS Updated
2024-08-01 CVE Updated
---------- Exploited in Wild
---------- KEV Due Date
---------- First Exploit

CWE

CWE-787: Out-of-bounds Write

CAPEC

References (4)

URL	Tag	Source

URL	Date	SRC

URL	Date	SRC

URL	Date	SRC
https://canon.jp/support/support-info/240205vulnerability-response	2024-02-13
https://psirt.canon/advisory-information/cp2024-001	2024-02-13
https://www.canon-europe.com/support/product-security-latest-news	2024-02-13
https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers	2024-02-13

Affected Vendors, Products, and Versions

Vendor		Product				Version		Other		Status
Vendor	Product	Version	Other	Status	<-- -->	Vendor	Product	Version	Other	Status
Canon Search vendor "Canon"	I-sensys Mf754cdw Firmware Search vendor "Canon" for product "I-sensys Mf754cdw Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys Mf754cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys Mf754cdw Search vendor "Canon" for product "I-sensys Mf754cdw"	-	-	Safe
Canon Search vendor "Canon"	I-sensys X C1333if Firmware Search vendor "Canon" for product "I-sensys X C1333if Firmware"	<= 03.07 Search vendor "Canon" for product "I-sensys X C1333if Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	I-sensys X C1333if Search vendor "Canon" for product "I-sensys X C1333if"	-	-	Safe
Canon Search vendor "Canon"	Mf755cdw Firmware Search vendor "Canon" for product "Mf755cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf755cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf755cdw Search vendor "Canon" for product "Mf755cdw"	-	-	Safe
Canon Search vendor "Canon"	Mf753cdw Firmware Search vendor "Canon" for product "Mf753cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf753cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf753cdw Search vendor "Canon" for product "Mf753cdw"	-	-	Safe
Canon Search vendor "Canon"	Mf751cdw Firmware Search vendor "Canon" for product "Mf751cdw Firmware"	<= 03.07 Search vendor "Canon" for product "Mf751cdw Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf751cdw Search vendor "Canon" for product "Mf751cdw"	-	-	Safe
Canon Search vendor "Canon"	Mf1333c Firmware Search vendor "Canon" for product "Mf1333c Firmware"	<= 03.07 Search vendor "Canon" for product "Mf1333c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Mf1333c Search vendor "Canon" for product "Mf1333c"	-	-	Safe
Canon Search vendor "Canon"	Lbp1333c Firmware Search vendor "Canon" for product "Lbp1333c Firmware"	<= 03.07 Search vendor "Canon" for product "Lbp1333c Firmware" and version " <= 03.07"	-	Affected	in	Canon Search vendor "Canon"	Lbp1333c Search vendor "Canon" for product "Lbp1333c"	-	-	Safe