[German]Lexmark has discovered a vulnerability in it’s All-in-one devices within the color fax function. Lexmark published a security advisory about this vulneratbility. Currently it’s unclear, if Lexmark provides firmware updates do mitigate the vulnerability within his devices.
I stumbled upon this information on German magazine heise.de, although the vulnerabilities have been known since August. Because the Lexmark Security Advisory: Lexmark Buffer Overflow Vulnerability describes a vulnerability in the color fax function of its all-in-one devices as early as August 24, 2018. Lexmark has identified a buffer overflow vulnerability in some models of some machines that process color fax jobs.
- CVE-2018-1551919: This critical vulnerability allows an attacker to use a prepared fax message to attack a Lexmark all-in-one device. The vulnerability allows a remote attacker to execute arbitrary code through the device.
- CVE-2018-15520: This highly rated vulnerability allows an attacker to crash a Lexmark all-in-one device with a prepared fax message. This vulnerability allows to create a denial of service condition. It may be possible to influence other effects on the fax function..
Both vulnerabilities persist until the received fax data is deleted from the machine (the Lexmark Support Center should be able to provide instructions on how to delete a fax message for that machine).
Meanwhile, Lexmark has posted a list of affected devices on this website. Whether a firmware update is available for a device, should be answered by Lexmark support (I received a reader’s feedback, that nor firmware updates are available). A workaround is to disable the Enable ‘Color Fax Receive’ feature on the affected devices.