Notification on the vulnerabilities for Web Based Management embedded in FUJIFLM printers

March 6th, 2024

Dear Customers,

Thank you for your continuous support towards FUJIFILM products.

We regret to inform that two potential vulnerabilities were found in the Web Based Management embedded in FUJIFILM printers list in the table below.

We recommend customers to check if your printer falls under the list and is affected by those vulnerabilities. If so, please consider upgrading the devices with the fixed firmware and perform operations described below.

Affected models and the versions of fixed firmware

The models listed below are affected by those vulnerabilities.
Firmware versions listed below will fix those vulnerability issues.
“Operation type” column shows the operation that should be performed to apply the countermeasure. Please refer to the “Operation Type” sections below.

Product nameFixed firmware versions
(Main ver. / Sub ver.)
Operation typeNote
DocuPrint P378 dVer.1.21 / Ver.1.05ACSRF vulnerability only
DocuPrint P375 dVer.1.21 / Ver.1.05ACSRF vulnerability only
DocuPrint P375 dwVer.1.21 / Ver.1.05ACSRF vulnerability only
DocuPrint P378 dwVer.1.21 / Ver.1.05ACSRF vulnerability only
DocuPrint P385 dwVer.1.19 / Ver.1.05ACSRF vulnerability only
DocuPrint P388 dwVer.1.19 / Ver.1.05ACSRF vulnerability only
DocuPrint M378 dVer.K / Ver.1.05ACSRF vulnerability only
DocuPrint M375 dfVer.K / Ver.1.05ACSRF vulnerability only
DocuPrint M378 dfVer.K / Ver.1.05ACSRF vulnerability only
DocuPrint M375 zVer.K / Ver.1.05ACSRF vulnerability only
DocuPrint M385 zVer.L / Ver.1.05ACSRF vulnerability only
DocuPrint P235 dVer.1.15B
DocuPrint P275 dwVer.1.15B
DocuPrint P285 dwVer.1.15B
DocuPrint P288 dwVer.1.15B
DocuPrint M235 dwVer.K / Ver.1.04B
DocuPrint M235 zVer.K / Ver.1.04B
DocuPrint M275 zVer.L / Ver.1.04B
DocuPrint M285 zVer.L / Ver.1.04B
DocuPrint M288 dwVer.E / Ver.1.04B
DocuPrint M288 zVer.E / Ver.1.04B
DocuPrint P225 dVer.1.18 / Ver.1.07C
DocuPrint P268 dVer.1.22 / Ver.1.07C
DocuPrint P268 dwVer.1.22 / Ver.1.07C
DocuPrint P265 dwVer.1.22 / Ver.1.07C
DocuPrint M268 dwVer.M / Ver.1.07C
DocuPrint M268 zVer.M / Ver.1.07C
DocuPrint M225 dwVer.P / Ver.1.07C
DocuPrint M225 zVer.P / Ver.1.07C
DocuPrint M265 zVer.P / Ver.1.07C
DocuPrint P118 wVer. 1.12D
DocuPrint P115 wVer. 1.12D
DocuPrint M118 wVer. MC
DocuPrint M118 zVer. MC
DocuPrint M115 wVer. MC
DocuPrint M115 fwVer. MC
DocuPrint M115 zVer. MC

Details of vulnerability

Web Based Management is embedded in the above models, and it is possible to operate the devices or change configuration of the devices via web browser.

  1. Improper Authentication
    By using the cookie-theft attack, an attacker may be able to access to Web Based Management function illegally, and view or change settings and information stored in the device.
  2. Cross-Site Request Forgery (CSRF)
    Cross-Site Request Forgery (CSRF) is an attack that forces a user to execute unwanted actions on a web application in which they are currently authenticated. With the Web Based Management function, an attacker exploiting the vulnerability may be able to view or change settings and information stored in the device.

Countermeasure

Please update the firmware to the fixed version. There are links to the download page in the above “Affected models and the versions of fixed firmware” table.

Please perform operation designated in “Operation Type” column for the model. The operation for Operation Type (A, B, C, and D) is shown below.

Operation type A or B

  1. Update the firmware with using Firmware update tool.
  2. Wait for the device restarting and become ready.

Operation type C

  1. Update the firmware with using Firmware update tool.
  2. Wait for the device restarting and become ready
  3. Enter the menu mode.
  4. Operate as following: Menu > 6. Network > 4. Web Based Management > OFF*
  • * The numbers on each item may be different for each model
    If you want to turn this function ON again, please select “ON” in the operation #4 above.

Operation type D

In this device, Web Based Management function can be switched alternatively. Please set this function to OFF in this operation.

  1. Update the firmware with using Firmware update tool.
  2. Wait for the device restarting and become ready.
  3. Close the top cover and pull the power plug off.
  4. With top cover closed, keep pressing the power button and put the power plug in. Confirm that all the LEDs turn on.
  5. While keeping the power button pressed, open the top cover, and close it again. Confirm that the Error LED turns off.
  6. Release the power button and confirm that all the LEDs turns off.
  7. Press the power button five times and confirm that the power LED turns on when you push the power button.
  8. Wait for one minute.
  9. Print the Print Settings Page and confirm the Web Based Management item on Network Configuration is “Disabled.”
  10. If it is “Enabled,” then go back to operation #3 on this list.

Workarounds

We would like the customers to perform the below workarounds until the firmware is updated to the fixed version. It is possible to reduce the risk of attack.

  • Please use your multi-function or single-function printers within the network protected by firewall etc.
  • If access from the Internet is permitted, please consider allowing the access to restricted IP addresses only or use VPN to connect.

Related Information

CVE-2024-21824:Improper Authentication (CWE-287)

CVE-2024-22475:Cross-Site Request Forgery (CWE-352)

Contact

Please visit the FUJIFILM Business Innovation support website for more details:

https://support-fb.fujifilm.com/