Lexmark printers need firmware patch

More than 150 models of Lexmark printers need a firmware update, following the disclosure of four critical remote code execution (RCE) vulnerabilities.

The bugs were reported through Trend Micro’s Zero Day Initiative (ZDI), with credited individuals including Sina Kheirkhah of Summoning Team; Chris Anastasio; Team PHPHooligans members Rick de Jager, Carlo Meijer and Jonathan Jagt; and Team Viettel.

CVE-2023-50737 [pdf] is a bug in the SE menu, which Lexmark said “contains information used by Lexmark to diagnose device errors”.

One of the menu routines can be exploited to run arbitrary code, the advisory stated, and the vulnerability carries a critical CVSS score of 9.1.

Lexmark said the SE menu should be restricted to trusted users only.

The vulnerable printers also have three vulnerabilities in their PostScript interpreters: CVE-2023-50736 [pdf], CVE-2023-50735 [pdf], and CVE-2023-50734 [pdf], all of which carry a critical CVSS score of 9.0.

The PostScript vulnerabilities have no workarounds; firmware updates are needed.

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts