More Lexmark device vulnerabilities (wrap-up Feb. 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]In late January 2022, a critical vulnerability CVE-2021-44738 in the PostScript interpreter of various Lexmark printers became public. The manufacturer warns about this vulnerability, which allows remote code execution, and provides a firmware update to close it. But there are other vulnerabilities that have received little attention so far, but may be more critical.

Vulnerability CVE-2021-44738

A critical vulnerability CVE-2021-44738 in the PostScript interpreter of various Lexmark printers has been reported end of January 2022. The manufacturer warns about this vulnerability, which allows remote code execution, in a security advisory and provides a firmware update to close the vulnerability. I had reported about it in the blog post Critical vulnerability CVE-2021-44738 in Lexmark printers (Jan. 2022).

Wait, there are more vulnerabilities

German blog reader Karl contacted me by email following my article mentiones above and pointed out that this was probably just the tip of the iceberg (thanks for pointing it out). Karl wrote:

Hello Mr. Born,

I have just been contacted by a partner in the printer business to assess the reported vulnerability of Lexmark and would like to send this to them.

In my opinion, however, this is only the tip of the iceberg, because the public Security Advisories mention two other vulnerabilities in the embedded web server that I consider far more critical.

Karl then also sent me the links to the Security Advisories in question, which can be found via this Lexmark's Alert List.

  • CVE-2021-44735: A vulnerability has been discovered in the embedded web server of Lexmark devices. The vulnerability
    allows an attacker to execute arbitrary code on the device. The CVSSv3 base score is reported as 9.0.
  • CVE-2021-44734: A vulnerability has been discovered in the embedded web server of Lexmark devices. The vulnerability
    allows an attacker to change the configuration of the device. The CVSSv3 base score is reported as 9.1. 

The list of affected devices can be found in the two linked PDF documents. There are already firmware updates for the affected printers, but experience has shown that these can occasionally cause side effects, such as toner cartridges not being recognized or being reported as outdated, Karl writes.

Similar articles:
Critical vulnerability CVE-2021-44738 in Lexmark printers (Jan. 2022)
Security: Vulnerability in Lexmark All-in-one devices
Windows: Status of printing issues (a.o. Dymo Labelwriter) before Feb. 2022 patchday

This entry was posted in devices, Security and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *