[German]Printer manufacturer Lexmark warned of a vulnerability in more than a hundred of its printer models as early as June 2022. Attackers who have already gained access to the firmware of the printers can then infiltrate there via a vulnerability. However, the whole thing only became public at the end of August 2022 through an entry in the CVE database. The manufacturer wants to provide a corresponding firmware update by mid-September 2022. Furthermore, I have the information that the USB communication problem of Lexmark printers should also be fixed with this firmware update. This occurred after the July 2022 patch Tuesday and causes Lexmark printers to output only unintelligible characters.

Firmware vulnerability in 100 models

In Lexmark Security Advisory CVE-2022-29850 (PDF, published in June 2022), the manufacturer writes that the Lexmark firmware is stored in a compressed read-only file system. This read-only file system is continuously checked for integrity when programs are loaded into RAM for execution. When the device is rebooted, hazards and problems that have occurred due to tampering with the firmware loaded into RAM are eliminated.

However, there is a vulnerability in older firmware versions that allows an attacker to modify the internal configuration files. However, this assumes that the attacker has already compromised the device and is therefore able to change the configuration files. In this case, there would be a risk of making this compromise permanent, i.e., after rebooting the device, it would remain compromised.

It is important to note that the vulnerability cannot be used to compromise the printer – but the attacker must have previously nested in RAM by other means. Nevertheless, Lexmark rates the vulnerability with a CVSSv3 Base Score 9.8, with exploitability considered low (3.9). Successful exploitation of this vulnerability could lead to the installation of a persistent backdoor on the affected device, the vendor writes.

There is another advisory CVE-2019-11358 dated August 30, 2022, which addresses a vulnerability in jQuery that can lead to denial of service, remote code execution, or property injection. This vulnerability is expected to be addressed by firmware version .081.001 and later. So that would also be fixed with the subsequent firmware update.

Affected devices and still no firmware update

Lexmark lists the more than 100 affected printer models in Lexmark Security Advisory CVE-2022-29850 and states that firmware versions xxx.081.013 and older are affected. The firmware update xxx.081.014 a and later versions are supposed to fix the vulnerability. So far so good.

To check the firmware status of a device, the menu item "Settings"->"Reports"->"Menu settings page" can be selected on the control panel. If the firmware state listed under "Device Information" matches a state under "Affected Releases" from CVE-2022-29850, the manufacturer advises to update it to the state under "Fixed Release".

The firmware updates are supposed to be downloadable from the Lexmark support site, according to the advisory. I had a quick look at the Lexmark support page, but so far only older firmware versions like MXNGM.076.308.zip for the Lexmark MB2338 are offered there. 

Firmware update pulled, revision shall also fix USB issue in Windows

Readers from German site heise has observed also, that the firmware update isn't offered on Lexmark's site. Then the heise editors asked Lexmark and was told (according to this German article):

Lexmark released firmware at the end of July as a security recommendation. Unfortunately, some customers experienced problems installing this original firmware, so we have removed it from the website. We are currently testing a firmware upgrade that not only addresses the vulnerability, but also includes fixes related to a Microsoft patch that was recently released to address USB communication errors on print devices. We expect the new firmware upgrade to be available by mid-September. Customers who want to upgrade now, and then again for the Microsoft patch, can contact Lexmark's Technical Support Center.

And there this statement falls again as a small piece of the puzzle in front of my feet, because I had reported in the blog post Windows: Printer issues after July 2022 patchday and fixes, that Lexmark printers failed to print texts since the July 2022 patchday – the printer creates only "hieroglyphs". This week, German blog reader Simon B. asked me about the Windows USB printer problem with Lexmark printers and wrote (I've translated).

Hello Mr. Born,

first of all thank you very much for your super blog and the work you do with it. It is always very informative and a very good place to go for problems. So also the problem with local USB printers after the Windows updates of July 2022. Both in the German and as English Blog could be found references to it:

Windows: Printer issues after July 2022 patchday and fixes
Kommentar zum Beitrag Patchday: Windows 10-Updates (12. Juli 2022)

The partially new printer objects, which had an additional "printer port" (USB002. USB003 etc.), could be solved relatively easily.

We still have problems with Lexmark printers that are connected locally to workstations. The Lexmark devices sometimes only print special characters and do so continuously, regardless of how many pages the document to be printed contains. I can't find any updated drivers for the affected devices on the manufacturer's website (firmware dated July 8, 2022, driver dated June 6, 2022).

Do you have any more recent findings or advice on the subject?

Thank you very much!

Simon B.

Well, with the above statement, it seems that Lexmark will release a firmware update by mid-September 2022, which on the one hand closes the vulnerability, but on the other hand also closes the USB printer communication problem for affected Windows systems.

Similar articles:
Windows: Printer issues after July 2022 patchday and fixes
Critical vulnerability CVE-2021-44738 in Lexmark printers (Jan. 2022)
More Lexmark device vulnerabilities (wrap-up Feb. 2022)