Notification about the vulnerability for RSA key in our multi-function printers and single-function printers
March 2, 2022
March 14, 2022
March 22, 2022
Dear Customers,
We would like to thank you for your continuous support to Fujifilm ( former Fuji Xerox) products.
A potential vulnerability was found in the cryptographic module used by our multi-function printers and single-function printers listed in the table below. We recommend customers to check if your printer falls under the list and is affected by this vulnerability.
As of now, there are no cases reported on this vulnerability. Listed below are some measures that can be applied immediately to your printer to reduce the impact.
Affected models and the status of fixed firmware
The models listed below are affected by this vulnerability. Firmware versions listed below DO NOT have this vulnerability.
| Affected models | Fixed firmware version (As of March 1 2022) |
|---|---|
| Apeos C7070 / C6570 / C5570 / C4570 / C3570 / C3070 / C7070 G / C6570 G / C5570 G / C4570 G / C3570 G / C3070 G |
1.1.7 Or later |
| Apeos C328 df / C328 dw / C325 dw / C325 z | 202112062053 Or later |
| Apeos C8180 / C7580 / C6580 | 1.1.6 Or later |
| ApeosPort 3560 / 3060 / 2560 / 3560 G / 3060 G / 2560 G | 1.60.9 Or later |
| ApeosPort 5570 / 4570 / 5570 G / 4570 G | 1.60.9 Or later |
| ApeosPort C3060 / C2560 / C2060 / C3060 G / C2560 G / C2060 G | 1.60.9 Or later |
| ApeosPort C7070 / C6570 / C5570 / C4570 / C3570 / C3070 / C7070 G / C6570 G / C5570 G / C4570 G / C3570 G / C3070 G |
1.60.9 Or later |
| ApeosPort Print C5570 | 1.60.9 Or later |
| ApeosPort-VII 5021 / P4021/ 4021 | 1.60.9 Or later |
| ApeosPort-VII CP4421 / C4421/ C3321 | 1.60.9 Or later |
| ApeosPort-VII C7773 / C6673 / C5573 / C4473 / C3373 / C3372 / C2273 | 1.60.2 Or later |
| ApeosPort-VII C7788 / C6688 / C5588 | 1.60.1 Or later |
| ApeosPro C810 / C750 / C650 | 1.1.6 Or later |
| ApeosPrint C328 / C328 dw / C325 dw | 202112062117 Or later |
| DocuCentre-VII C7773 / C6673 / C5573 / C4473 / C3373 / C3372 / C2273 | 1.60.2 Or later |
| DocuCentre-VII C7788 / C6688 / C5588 | 1.60.1 Or later |
| DocuPrint 4405 d / 4408 d / 3505 d / 3508 d / 3205 d / 3208 d | 1.57.5 Or later |
| DocuPrint C3555 d / C2555 d | 1.57.6 Or later |
| PrimeLink C9070 / C9065 | 1.145.1 Or later |
Details of vulnerability
This vulnerability was found in a cryptographic module from a 3rd party used for the multi-function printers and single-function printers, and the secret key of RSA cryptography used for SSL/TLS encrypted connection can be guessed. If the vulnerability is exploited, there is a possibility that the contents of the connection with the affected devices can be revealed or tampered.
Workaround Measures
In order to avoid the security breach, please apply either (or both) of the measures below, until the fixed firmware is released.
- Recreate “Self-Signed Certificates” or “Certificate Signing Request (CSR)” after either of the setting below is completed. You can recreate certificates via CentreWare Internet Service or Internet Service.
- Enable FIPS 140-2 certification mode
ApeosPort-VII/DocuCentre-VII series and Apeos/ApeosPro/ApeosPrint series support this feature. - Select “ECDSA/SHA-256”, “ECDSA/SHA-384” or “ECDSA/SHA-512” from “Type of digital signing” as a setting of elliptic curve cryptography.
- Enable FIPS 140-2 certification mode
- Please use your multi-function printers or single-function printers within the network protected by firewall, etc.
- If your multi-function printer or single-function printer connection is open to the Internet, we encourage the use of the “restricted IP addresses” function in your security firewall or use a VPN connection.
Eliminating the Vulnerability
The latest firmware to fix the vulnerability is released.
However, before the firmware is released, please apply the Workaround Measures listed above to reduce the impact.
After the firmware has been upgraded, customers must recreate “Self-Signed Certificates” and “Certificate Signing Request (CSR)”. Steps for recreating is described in the Appendix
For customers who have accepted the automatic firmware upgrade with the EP-BB maintenance contract, the firmware upgrade will be done by the EP-BB function after the release of the fixed firmware.
For other customers, please contact FUJIFILM Business Innovation via the support website at https://support-fb.fujifilm.com/
Caution
It is important that customers recreate “Self-Signed Certificates” and “Certificate Signing Request (CSR)” after the firmware is upgraded to strengthen the security. If you did not implement the “Self-Signed Certificates and “Certificate Signing Request (CSR)”, your devices might be exposed and impacted by the vulnerability (even after upgrading the firmware).
Related information
Please refer to the below reference sites about details of the security risk in public.
Appendix
- Please access your multi-function printer’s or single-function printer’s CWIS (CentreWare Internet Service) via a Web Browser using device IP address, as an Administrator.
- Once you are logged in, please click on the “System” tab. Please refer to sample image below.
- Please scroll down and click on the “Certificates” option. Please refer to the sample image below.
- Please click on “Certificate Settings” and click on “Create” dropdown list. An option to “Create Certificate Signing Request (CSR)” will be available for your selection
- Please note that the sample images are from the Apeos C6580, there may be a difference on the CentreWare Internet Service) user interface depending on your model.
Contact
Please visit the FUJIFILM Business Innovation support website for more details: