Numerous Lexmark Printers affected by critical security issues
Lexmark confirmed this week that many of its printer models have security vulnerabilities, some of which are rated critical. The company has released seven security advisories for Lexmark devices. Successful exploitation of the vulnerabilities can result in remote code execution on a device. Updates are available for affected devices.
All security advisories have been published on March 10, 2023. Hundreds of printers are affected, including Lexmark MC3224, Lexmark B2338, Lexmark CX930 and Lexmark XC9335.
The Lexmark printer vulnerabilities
Lexmark has released security advisories for the following vulnerabilities (links point to PDF documents on Lexmark's website):
- CVE-2023-26063 -- A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
- CVE-2023-26064 -- A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
- CVE-2023-26065 -- A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
- CVE-2023-26066 -- A vulnerability has been identified in the Postscript interpreter in various Lexmark devices.
- CVE-2023-26067 -- This input validation vulnerability allows an attacker who has already compromised an affected Lexmark device to escalate privileges.
- CVE-2023-26068 -- The embedded web server in newer Lexmark devices fails to properly sanitize input data which can lead to remote code execution on the device.
- CVE-2023-26069 -- An input validation vulnerability has been identified in the web API of newer Lexmark devices.
Lexmark notes that it is "not aware of any malicious use against Lexmark products" at the time of publication of the seven security advisories. The vulnerabilities have been reported to Lexmark by Trend Micro's Zero Day Initiative.
How to patch affected devices
Some Lexmark devices have Internet connectivity. These may check for and upgrade firmware directly from the embedded web server. To access the web interface, load the IP address of the printer in a web browser. Select Device > Update Firmware then, and then Check for Updates. If an update is available, click "I agree, start update", to download and install it on the device.
Lexmark customers may also download updated firmware manually and install it on the printer to resolve the issue. The best starting point is to use Lexmark's official drivers & downloads support page to search for updates for a particular printer model.
Look for the most recent firmware for the printer in question and download it to the local system. Note that the file size may be several hundred megabytes.
It is recommended to check the security advisories linked above to make sure that the listed firmware on Lexmark's download website fixes the listed vulnerabilities.
Lexmark's firmware update instructions support page offers instructions on how to update the firmware of company devices.
