Notification on the vulnerability in the encryption method used in the Address Book
October 31, 2023
November 9, 2023
Dear Customers,
We would like to thank you for your continuous support to FUJIFILM products. We have confirmed a vulnerability in the encryption method used for the address book of FUJIFILM multifunctional printers.
Please refer to the description below for further details and consider applying the fixed firmware.
Details of the vulnerability
The multifunctional printers of FUJIFILM have a function that enables users to retrieve information registered in its address book. When the address book information is retrieved using this function, the credentials in the retrieved information are encrypted.
There is a vulnerability in that encryption method where cryptography used to protect the credentials is weak. When the cryptography is cracked, the credentials in the address books are exposed.
Countermeasure
Please update the firmware to the fixed version.
For customers who have accepted the automatic firmware upgrade with the EP-BB maintenance contract, the firmware upgrade will be done by the EP-BB function after the release of the fixed firmware.
For other customers, please contact FUJIFILM Business Innovation via the support website athttps://support-fb.fujifilm.com/
Workarounds
We would like the customers to perform the below workarounds until the firmware is updated to the fixed version. It is possible to reduce the risk of attack.
- Please use your multi-function or single-function printers within the network protected by firewall etc.
- If access from the Internet is permitted, please consider allowing the access to restricted IP addresses only or use VPN to connect.
Related Information
Acknowledgements
We would like to express gratitude to Kunal Thakrar and Ceri Coburn from Pen Test Partners for the finding of the vulnerability.
Contact
Please visit FUJIFILM Business Innovation support website to find for more details:
https://support-fb.fujifilm.com/
Affected models and versions and fixed firmware versions
| Affected models | Affected firmware versions | Fixed firmware versions |
|---|---|---|
| Apeos 3560 /3060 / 2560 / 3560 GK /3060 GK / 2560 GK | 1.0.0-1.2.16 | 1.2.17 |
| 1.20.0-1.26.10 | 1.26.11 | |
| Apeos 5330 / 4830 | All versions older than the fixed version | 1.20.9 |
| Apeos 5570 / 4570 | 1.0.0-1.3.6 | 1.3.7 |
| 1.21.0-1.26.9 | 1.26.10 | |
| Apeos 6340 | 1.0.0-1.2.11 | 1.2.12 |
| 1.20.0-1.20.5 | 1.20.6 | |
| Apeos 7580 / 6580 | All versions older than the fixed version | 1.26.9 |
| Apeos C2570 / C3070 / C3570 / C4570 / C5570 / C6570 / C7070 | 1.0.0-1.3.7 | 1.3.8 |
| 1.21.0-1.26.11 | 1.26.12 | |
| Apeos C3060 / C2560 / C2060 /C3060 GK / C2560 GK / C2060 GK | 1.0.0-1.2.14 | 1.2.15 |
| 1.20.0-1.26.10 | 1.26.11 | |
| Apeos C4030 / C3530 | All versions older than the fixed version | 1.20.10 |
| Apeos C5240 | 1.0.0-1.2.12 | 1.2.13 |
| 1.20.0-1.20.6 | 1.20.7 | |
| Apeos C8180 / C7580 / C6580 | 1.0.0-1.3.7 | 1.3.8 |
| 1.21.0-1.26.12 | 1.26.13 | |
| ApeosPort C3060 / C2560 / C2060 / C3060 G / C2560 G / C2060 G | 1.0.0-1.60.15 | 1.60.16 |
| ApeosPort 3560 / 3060 / 2560 / 3560 G / 3060 G / 2560 G | 1.0.0-1.60.16 | 1.60.17 |
| ApeosPort 5570 / 4570 / 3570 / 5570 G / 4570 G | All versions older than the fixed version | 1.60.16 |
| ApeosPort C7070 / C6570 / C5570 / C4570 / C3570 / C3070 | All versions older than the fixed version | 1.60.18 |
| ApeosPort-VII 5021 / 4021 | 1.5.0-1.60.14 | 1.60.16 |
| 1.0.0-1.60.2 | 1.60.3 | |
| ApeosPort-VII C4421 / C3321 | 1.5.0-1.60.14 | 1.60.16 |
| 1.0.0-1.60.2 | 1.60.3 | |
| ApeosPro C810 / C750 / C650 | 1.0.0-1.3.6 | 1.3.7 |
| 1.21.0-1.26.14 | 1.26.14 | |
| PrimeLink C9070 / C9065 | All versions older than the fixed version | 1.145.4 |
| Revoria Press E1136 / E1125 / E1110 / E1100 | 1.0.0-1.3.5 | 1.3.6 |
| 1.21.0-1.26.11 | 1.26.12 | |
| RevoriaPress SC180 / SC170 | All versions older than the fixed version | 1.22.8 |