Privilege escalation in multiple RICOH printer drivers



| Updated: 2020-02-25
Risk Low
Patch available NO
Number of vulnerabilities 1
CVE-ID CVE-2019-19363
CWE-ID CWE-264
Exploitation vector Local
Public exploit Public exploit code for vulnerability #1 is available.
Vulnerable software
 PCL6 Driver for Universal Print
Hardware solutions / Drivers

PS Driver for Universal Print
Hardware solutions / Drivers

PC FAX Generic Driver
Hardware solutions / Drivers

Generic PCL5 Driver
Hardware solutions / Drivers

RPCS Driver
Hardware solutions / Drivers

PostScript3 Driver
Hardware solutions / Drivers

PCL6 (PCL XL) Driver
Hardware solutions / Drivers

RPCS Raster Driver
Hardware solutions / Drivers

Vendor RICOH COMPANY, LTD.

Security Bulletin

This security bulletin contains one low risk vulnerability.

1) Permissions, Privileges, and Access Controls

EUVDB-ID: #VU25569

Risk: Low

CVSSv3.1: 7.6 [CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:F/RL:U/RC:C]

CVE-ID: CVE-2019-19363

CWE-ID: CWE-264 - Permissions, Privileges, and Access Controls

Exploit availability: Yes

Description

The vulnerability allows a local user to escalate privileges on the system.

The vulnerability exists due to improper permissions check. A local user can who can login to the computer where the affected printer driver is installed can use a specially crafted printer driver and gain administrative privileges on the target system.

Mitigation

Vendor recommends to download the security program Ver.1.3.0.0.


Printer Driver Version Model Name
PCL6 Driver for Universal Print Version 4.0 or later
  • All models that use this driver.
PS Driver for Universal Print Version 4.0 or later
  • All models that use this driver.
PC FAX Generic Driver All versions
  • All models that use this driver.
Generic PCL5 Driver All versions
  • All models that use this driver.
RPCS Driver All versions
  • DD 3324/DD 3334/DD 3344C/SD375
  • DD 6650P/SD 710
PostScript3 DriverAndPCL6 (PCL XL) Driver All versions Color MFPs
  • DSc 930/935/1020/1025/1030/1045/1060/1120/1220/1225/ 1230/1245/1260 Series
  • GS 3020c/3021c/3025c/3030c/3045c/3160c Series,
  • IM C300/C400/C2000/C2500/C3000/C3500/C4500/C5500/ C6000 Series
  • M C2001
  • MP C305/C306/C307/C401/C406/C407/C501/C2003/C2004/ C2011/C2094/C2503/C2504/C2594/C3002/C3003/C3004/C3502/C3503/C3504/C4502/C4503/C4504/C5502/C5503/C5504/C6003/C6004/C6502/C6503/C8002/C8003 Series
Black and White MFPs
  • DSm 923/928/933/940/950/1525SP/1530SP/1533SP/2525SP/2530SP/2535SP/2540SP/2550SP/2560SP/2625SP/2630SP/2635SP/ 2640SP/ 2650SP/2660SP
  • IM 350/430/550/600/2702 Series
  • MP 301/305/401SPF/402SPF/501SPF/601SPF/2001SP/2352/2501SP/2553/2554/2555/2852/3053/3054/3055/3352/3353/3554/3555/4002/4054/4055/5002/5054/5055/6002/6054/6055/6503/7502/7503/9002/9003 Series
Printers
  • P 501/502/800/801/C600
  • SP 400DN/450DN/3600DN/3600SF/3610SF/4310N/4510DN/ 4510SF/4520DN/5200S/5210SF/5210SR/5300DN/5310DN/ 6430DN/8300DN/8400DN,
  • SP C320DN/C340DN/C342DN/C352DN/C360DNw/ C360SFNw/C360SNw/C361SFNw/C440DN/C730DN/C830DN/C831DN/C840DN/C842DN Series
WIDE FORMAT MFPs
  • MP CW2200SP/CW2201SP/W6700/W7100/W8140 Series
Production Printers
  • Pro C5100S/C5110S/C5200S/C5210S/ C7100/C7110/C7200/C7210 Series
  • Pro 8100/8110/8120/8200/8210/8220/8300/8310/8320 Series
  • TotalFlow Print Server R-62/R-62A/R-61A/R-61/R-60A/R-60
RPCS Raster Driver All versions GELJETs
  • GX E2600/E3300N/E3350N/E5550N/E7700N/2500/3000/3000S/3000SF/3050SFN/5050N/7000 Series
  • SG 2100N/3100SNW/3110SFNW/3120BSFNW/7100DN Series
Garment Printer
  • Ri 100

Vulnerable software versions

PCL6 Driver for Universal Print: 4.0

PS Driver for Universal Print: 4.0

PC FAX Generic Driver: All versions

Generic PCL5 Driver: All versions

RPCS Driver: All versions

PostScript3 Driver: All versions

PCL6 (PCL XL) Driver: All versions

RPCS Raster Driver: All versions

CPE2.3 External links

http://www.ricoh.com/info/2020/0122_1/
http://jvn.jp/en/jp/JVN15697526/index.html
http://support.ricoh.com/bb/html/dr_ut_e/re1/model/Security_Patch/Security_Patch.htm


Q & A

Can this vulnerability be exploited remotely?

No. This vulnerability can be exploited locally. The attacker should have authentication credentials and successfully authenticate on the system.

Is there known malware, which exploits this vulnerability?

No. We are not aware of malware exploiting this vulnerability. However, a fully functional exploit for this vulnerability is available.



###SIDEBAR###