Description

Session Management Vulnerability

Vulnerability Reference: CVE-2024-21824

Attackers can gain access to the server's setting screen by obtaining session IDs of logged-in users and impersonating them, or by stealing login credentials and tricking users into opening malicious URLs. 
Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-21824

Cross-Site Request Forgery (CSRF) Vulnerability

Vulnerability Reference: CVE-2024-22475

If authenticated users unknowingly submit requests to their machines via a malicious site set up for CSRF attacks, it may allow the attackers to change the Web Based Management settings.

Reference: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2024-22475

Affected models

Click here to see the affected models, their firmware update status, and the correct solution for each model (type A or B).

Possible Solutions

Type A models:

Update the machine’s firmware using the Firmware Update Tool.

Type B models:

1. Update the machine’s firmware using the Firmware Update Tool.
2. The machine will restart.
3. Follow the instructions below to disable Web Based Management.
   
   LCD models:
   When the machine is in the standby mode, follow these steps to disable Web Based Management from the machine's LCD:
   Menu > 6*. Network ＞ 4*. Web Based Management > OFF
   (* The numbers may vary depending on your model.)
   
   LED models (HL-12 series):
   1. Close the top cover (if open) and unplug the machine.
   2. Press and hold the power button while plugging the power cable back into the outlet.
      All LEDs will light up.
   3. Still pressing and holding the power button, open the top cover, and then close it again.
      The Error LED will turn off.
   4. Release the power button.  
      All LEDs will turn off.
   5. Press the power button 5 times. 
      The power LED will light up each time the power button is pressed.
   6. Wait for approximately 1 minute.
   7. Web Based Management is disabled. 
      You can confirm this by printing the "Printer Setting" page and checking the following setting:
      [Network Configuration] > [Web Based Management: Enabled/Disabled]
      • Follow the same steps to enable Web Based Management.
      • To reduce the likelihood of such attacks, make sure Web Based Management remains disabled until you need to use it, and then disable it again.