Canon issues patch for seven critical issues in office printers

Canon has released software updates to rectify seven critical-severity vulnerabilities found in numerous models of small office printers.

The issues are tracked under the CVE identifiers CVE-2023-6229, CVE-2023-6230, CVE-2023-6231, CVE-2023-6232, CVE-2023-6233, CVE-2023-6234 and CVE-2024-0244, these vulnerabilities have been assigned a CVSS score 9.8.

The vulnerabilities were detected in various components of the printers, including the processes for CPCA PDL resource download, Address Book password, WSD probe request, Address Book username, SLP attribute request, CPCA Color LUT resource download, and CPCA PCFAX number. These flaws make the printers susceptible to unauthorized code execution and denial-of-service (DoS) attacks if they are directly connected to the internet without the protection of a router.

The affected printer models vary by region:

• i-SENSYS LBP673Cdw, MF752Cdw, MF754Cdw, C1333i, C1333iF, and C1333P series in Europe,
• imageCLASS MF753CDW, MF751CDW, MF1333C, LBP674CDW, and LBP1333C series in North America;
• Satera LBP670C and MF750C series in Japan.

All models are at risk if they are running firmware versions 03.07 or earlier.

While there have been no reported instances of these vulnerabilities being exploited in the wild, Canon strongly recommends that customers take precautionary measures. This includes installing the latest firmware updates and configuring network settings to restrict unauthorized access to the printers by using firewalls or routers and assigning private IP addresses to the devices.

Canon urges customers to download and install the latest firmware updates from their regional websites to mitigate these vulnerabilities and enhance product security.