CVE-2023-6231
📋 TL;DR
A critical buffer overflow vulnerability in the WSD probe request process of Canon multifunction printers allows attackers on the same network segment to crash affected devices or execute arbitrary code with high privileges. This affects specific Canon printer models sold in Japan, US, and Europe. The vulnerability requires no authentication and has a CVSS score of 9.8.
💻 Affected Systems
- Satera LBP670C Series
- Satera MF750C Series
- Color imageCLASS LBP674C
- Color imageCLASS X LBP1333C
- Color imageCLASS MF750C Series
- Color imageCLASS X MF1333C Series
- i-SENSYS LBP673Cdw
- i-SENSYS C1333P
- i-SENSYS MF750C Series
- i-SENSYS C1333i Series
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution with SYSTEM/root privileges leading to complete device compromise, lateral movement to other network systems, and persistent backdoor installation.
Likely Case
Denial of service causing printers to become unresponsive, disrupting business operations and requiring physical restart or firmware reinstallation.
If Mitigated
Limited impact if printers are isolated on separate VLANs with strict network segmentation and access controls.
🎯 Exploit Status
No authentication required, exploit likely involves sending specially crafted WSD probe requests. Technical details not publicly available but buffer overflow in network service suggests straightforward exploitation.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Firmware v03.08 or later
Vendor Advisory: https://psirt.canon/advisory-information/cp2024-001/
Restart Required: Yes
Instructions:
1. Identify affected printer models and current firmware version. 2. Download firmware update from Canon support portal for your region. 3. Upload firmware via printer web interface or USB. 4. Apply update and restart printer. 5. Verify firmware version is v03.08 or higher.
🔧 Temporary Workarounds
Disable WSD Protocol
allDisable Web Services on Devices (WSD) protocol to prevent exploitation via network.
Access printer web interface -> Network Settings -> TCP/IP Settings -> Disable WSD
Network Segmentation
allIsolate printers on separate VLAN with strict firewall rules.
Configure switch: vlan 10, name Printer-VLAN
Add firewall rule: deny all to printer subnet except management IPs
🧯 If You Can't Patch
- Segment printers on isolated network VLAN with strict access controls
- Disable WSD protocol and use alternative printing protocols like IPP or LPD
🔍 How to Verify
Check if Vulnerable:
Check printer firmware version via web interface (Settings -> Device Information) or printed configuration page. If firmware is v03.07 or earlier and WSD is enabled, device is vulnerable.Check Version:
curl -s http://printer-ip/ or check printer web interface manuallyVerify Fix Applied:
Confirm firmware version is v03.08 or higher via printer web interface or configuration page.📡 Detection & Monitoring
Log Indicators:
- Printer crash/restart logs
- Unusual WSD protocol traffic spikes
- Failed firmware update attempts
Network Indicators:
- Unusual WSD probe requests to printer IPs
- Traffic patterns matching buffer overflow attempts
SIEM Query:
source="network_firewall" dest_ip="printer_subnet" protocol="WSD" AND (packet_size>normal OR pattern="malformed")🔗 References
- https://canon.jp/support/support-info/240205vulnerability-response
- https://psirt.canon/advisory-information/cp2024-001/
- https://www.canon-europe.com/support/product-security-latest-news/
- https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers
- https://canon.jp/support/support-info/240205vulnerability-response
- https://psirt.canon/advisory-information/cp2024-001/
- https://www.canon-europe.com/support/product-security-latest-news/
- https://www.usa.canon.com/support/canon-product-advisories/Service-Notice-Regarding-Vulnerability-Measure-Against-Buffer-Overflow-for-Laser-Printers-and-Small-Office-Multifunctional-Printers
