CVE-2022-24673

Q: What is the severity of CVE-2022-24673?

CVE-2022-24673 has a CVSS score of 9.8 (CRITICAL). CVE-2022-24673 is a critical buffer overflow vulnerability in Canon imageCLASS MF644Cdw printers that allows remote attackers to execute arbitrary code as root without authentication. The flaw exists in the SLP protocol implementation where user-supplied data length isn't properly validated before copying to a fixed buffer. Organizations using affected Canon printers are at risk of complete device compromise.

9.8 CRITICAL

Remote Code Execution Buffer Overflow

📋 TL;DR

CVE-2022-24673 is a critical buffer overflow vulnerability in Canon imageCLASS MF644Cdw printers that allows remote attackers to execute arbitrary code as root without authentication. The flaw exists in the SLP protocol implementation where user-supplied data length isn't properly validated before copying to a fixed buffer. Organizations using affected Canon printers are at risk of complete device compromise.

💻 Affected Systems

Products:

Canon imageCLASS MF644Cdw

Versions: Firmware version 10.02

Operating Systems: Printer firmware

Default Config Vulnerable: ⚠️ Yes

Notes: All installations with vulnerable firmware are affected. SLP protocol is typically enabled by default.

📦 What is this software?

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote attacker gains full root access to printer, installs persistent malware, uses printer as pivot point into internal network, and potentially bricks the device.

🟠

Likely Case

Remote attacker executes arbitrary code to steal print jobs, credentials, or use printer as part of botnet for DDoS attacks.

🟢

If Mitigated

With proper network segmentation and access controls, impact limited to printer compromise without lateral movement.

🌐 Internet-Facing: HIGH - No authentication required, exploit is remote, and CVSS 9.8 indicates critical internet-facing risk.

🏢 Internal Only: HIGH - Even internally, attackers can exploit without credentials to gain root access and pivot.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

ZDI-CAN-15845 reference suggests exploit development. No authentication required makes exploitation straightforward.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Firmware version 10.03 or later

Vendor Advisory: https://www.usa.canon.com/support/canon-product-advisories/canon-laser-printer-inkjet-printer-and-small-office-multifunctional-printer-measure-against-buffer-overflow

Restart Required: Yes

Instructions:

1. Download latest firmware from Canon support site. 2. Upload firmware via printer web interface. 3. Apply update. 4. Reboot printer.

🔧 Temporary Workarounds

Disable SLP Protocol

all

Disable Service Location Protocol on affected printers to block exploitation vector

Access printer web interface > Network Settings > Protocol Settings > Disable SLP

Network Segmentation

linux

Isolate printers on separate VLAN with strict firewall rules

# Example firewall rule to block SLP (port 427)
iptables -A INPUT -p udp --dport 427 -j DROP

🧯 If You Can't Patch

Segment printers on isolated network with no internet access
Implement strict firewall rules blocking all inbound traffic to printers except essential management ports

🔍 How to Verify

Check if Vulnerable:

Check printer firmware version via web interface: Settings > Device Information > Firmware Version

Check Version:

curl -s http://printer-ip/ or check web interface

Verify Fix Applied:

Verify firmware version is 10.03 or higher after update

📡 Detection & Monitoring

Log Indicators:

Unusual SLP protocol traffic
Multiple failed buffer overflow attempts
Printer firmware modification logs

Network Indicators:

Excessive UDP port 427 traffic to printers
Unusual outbound connections from printers

SIEM Query:

source="firewall" dest_port=427 AND (protocol="udp" OR protocol="tcp") | stats count by src_ip

📊 Metadata

CVE ID: CVE-2022-24673

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-121

Published: March 28, 2023

Last Updated: November 21, 2024

🔗 References

https://www.usa.canon.com/support/canon-product-advisories/canon-laser-printer-inkjet-printer-and-small-office-multifunctional-printer-measure-against-buffer-overflow Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-515/ Third Party Advisory,VDB Entry
https://www.usa.canon.com/support/canon-product-advisories/canon-laser-printer-inkjet-printer-and-small-office-multifunctional-printer-measure-against-buffer-overflow Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-515/ Third Party Advisory,VDB Entry

📋 TL;DR

💻 Affected Systems

📦 What is this software?

1435i\+ Firmware by Canon

1435if Firmware by Canon

1435if Firmware by Canon

1435p Firmware by Canon

1435p Firmware by Canon

D1520 Firmware by Canon

D1550 Firmware by Canon

D1620 Firmware by Canon

D1650 Firmware by Canon

Ir1435i Firmware by Canon

Ir1643i Firmware by Canon

Ir1643if Firmware by Canon

Lbp1127c Firmware by Canon

Lbp1238 Firmware by Canon

Lbp1238 Ii Firmware by Canon

Lbp214dw Firmware by Canon

Lbp215dw Firmware by Canon

Lbp226dw Firmware by Canon

Lbp227dw Firmware by Canon

Lbp228dw Firmware by Canon

Lbp236dw Firmware by Canon

Lbp237dw Firmware by Canon

Lbp251dw Firmware by Canon

Lbp253dw Firmware by Canon

Lbp612cdw Firmware by Canon

Lbp622cdw Firmware by Canon

Lbp623cdw Firmware by Canon

Lbp654cdw Firmware by Canon

Lbp664cdw Firmware by Canon

Mf1127c Firmware by Canon

Mf1238 Firmware by Canon

Mf1238 Ii Firmware by Canon

Mf1643i Ii Firmware by Canon

Mf1643if Ii Firmware by Canon

Mf414dw Firmware by Canon

Mf416dw Firmware by Canon

Mf419dw Firmware by Canon

Mf424dw Firmware by Canon

Mf426dw Firmware by Canon

Mf429dw Firmware by Canon

Mf445dw Firmware by Canon

Mf448dw Firmware by Canon

Mf449dw Firmware by Canon

Mf451dw Firmware by Canon

Mf452dw Firmware by Canon

Mf453dw Firmware by Canon

Mf455dw Firmware by Canon

Mf515dw Firmware by Canon

Mf525dw Firmware by Canon

Mf543dw Firmware by Canon

Mf6160dw Firmware by Canon

Mf6180dw Firmware by Canon

Mf624cdw Firmware by Canon

Mf628cdw Firmware by Canon

Mf632cdw Firmware by Canon

Mf634cdw Firmware by Canon

Mf641cw Firmware by Canon

Mf642cdw Firmware by Canon

Mf644cdw Firmware by Canon

Mf726cdw Firmware by Canon

Mf729cdw Firmware by Canon

Mf731cdw Firmware by Canon

Mf733cdw Firmware by Canon

Mf735cdw Firmware by Canon

Mf741cdw Firmware by Canon

Mf743cdw Firmware by Canon

Mf745cdw Firmware by Canon

Mf746cdw Firmware by Canon

Mf810cdn Firmware by Canon

Mf820cdn Firmware by Canon

Mf8280cw Firmware by Canon

Mf8580cdw Firmware by Canon

Wg7240 Firmware by Canon

Wg7250 Firmware by Canon

Wg7250f Firmware by Canon

Wg7250z Firmware by Canon

⚠️ Risk & Real-World Impact