CVE-2024-28038
📋 TL;DR
This vulnerability allows remote attackers to execute arbitrary code on affected Sharp and Toshiba multifunction printers by sending an overly long MFPSESSIONID cookie value, causing a stack buffer overflow. Organizations using these devices' web interfaces are affected.
💻 Affected Systems
- Sharp multifunction printers
- Toshiba multifunction printers
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Remote code execution leading to complete device compromise, lateral movement to internal networks, and data exfiltration.
Likely Case
Device compromise allowing attackers to intercept print jobs, steal credentials, or use the device as an internal foothold.
If Mitigated
Denial of service if overflow crashes the web service without code execution.
🎯 Exploit Status
Public technical details and proof-of-concept available; exploitation requires sending crafted HTTP request.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Varies by model - check vendor advisories
Vendor Advisory: https://global.sharp/products/copier/info/info_security_2024-05.html
Restart Required: Yes
Instructions:
1. Identify affected model from vendor advisories. 2. Download firmware update from vendor support site. 3. Apply update via device web interface or USB. 4. Reboot device.
🔧 Temporary Workarounds
Disable web interface
allTurn off HTTP/HTTPS management interface if not required
Access device settings > Network > HTTP/HTTPS > Disable
Network segmentation
allIsolate printers on separate VLAN with strict access controls
🧯 If You Can't Patch
- Block external access to printer web interfaces at firewall
- Implement strict network segmentation with ACLs limiting access to printer management interfaces
🔍 How to Verify
Check if Vulnerable:
Check device model and firmware version against vendor advisories; test with controlled overflow attempt in lab environment.Check Version:
Access device web interface > System Information > Firmware VersionVerify Fix Applied:
Verify firmware version matches patched version from vendor; test with same overflow attempt that should no longer crash.📡 Detection & Monitoring
Log Indicators:
- Web interface crash logs
- Unusually long cookie values in HTTP logs
- Multiple failed authentication attempts
Network Indicators:
- HTTP requests with MFPSESSIONID > 1000 characters
- Unexpected outbound connections from printers
SIEM Query:
http.cookie contains "MFPSESSIONID" AND length(http.cookie) > 1000🔗 References
- https://global.sharp/products/copier/info/info_security_2024-05.html
- https://jp.sharp/business/print/information/info_security_2024-05.html
- https://jvn.jp/en/vu/JVNVU93051062/
- https://pierrekim.github.io/blog/2024-06-27-sharp-mfp-17-vulnerabilities.html
- https://www.toshibatec.co.jp/information/20240531_02.html
- https://www.toshibatec.com/information/20240531_02.html
- http://seclists.org/fulldisclosure/2024/Jul/0
