CERTVU:737740Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.335 Low
EPSS
Percentile
97.0%
Overview
Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier use a vulnerable version of OpenSSL (0.9.8o).
Description
Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier uses OpenSSL for SSL/TLS encryption. The version of OpenSSL that comes with the Fiery Network Controllers for Xerox DocuColor 242/252/260 Printer/Copier is 0.9.8o that is out of date and known to be vulnerable.
Impact
A remote attacker may be able to cause a denial of service or possibly run arbitrary code.
Solution
Apply an Update
Apply patch 1-1IJ6ZK. The patch will upgrade OpenSSL to version 0.9.8x. Patch 1-1IJ6ZK can be obtained from Xerox tech support.
Restrict access
As a general good security practice, only allow connections from trusted hosts and networks.
Vendor Information
737740
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
EFI Affected
Notified: December 18, 2012 Updated: March 18, 2013
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
We are not aware of further vendor information regarding this vulnerability.
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | 6.9 | AV:A/AC:M/Au:N/C:P/I:P/A:C |
| Temporal | 5.1 | E:U/RL:OF/RC:C |
| Environmental | 1 | CDP:L/TD:L/CR:L/IR:L/AR:L |
References
- http://www.support.xerox.com/support/docucolor-242-252-260/downloads/enus.html?associatedProduct=fiery-exp260&operatingSystem=win7x64
- <https://www.openssl.org/news/vulnerabilities.html>
- <http://w3.efi.com/Fiery>
Acknowledgements
Thanks to Curtis Rhodes for reporting this vulnerability.
This document was written by Jared Allar.
Other Information
| CVE IDs: | CVE-2013-0169, CVE-2013-0166, CVE-2012-2333, CVE-2012-0884, CVE-2011-4619, CVE-2011-4577, CVE-2011-4576, CVE-2011-4109, CVE-2011-4108, CVE-2010-4180, CVE-2010-3864 |
|---|---|
| Date Public: | 2013-03-18 Date First Published: |
Related
9.3 High
CVSS2
Access Vector
NETWORK
Access Complexity
MEDIUM
Authentication
NONE
Confidentiality Impact
COMPLETE
Integrity Impact
COMPLETE
Availability Impact
COMPLETE
AV:N/AC:M/Au:N/C:C/I:C/A:C
0.335 Low
EPSS
Percentile
97.0%