This vulnerability allows remote attackers to execute arbitrary code on affected installations of Canon imageCLASS MF644Cdw 10.02 printers. Authentication is not required to exploit this vulnerability. The specific flaw exists within the implementation of the SLP protocol. The issue results from the lack of proper validation of the length of user-supplied data prior to copying it to a fixed-length stack-based buffer. An attacker can leverage this vulnerability to execute code in the context of root. Was ZDI-CAN-15845.

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Attack Vector Adjacent Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v2

Vendors Products
Canon
  • Mf448dw Firmware
  • Mf452dw
  • Lbp214dw Firmware
  • 1435i\+ Firmware
  • Mf628cdw Firmware
  • Mf634cdw
  • Mf1238
  • Lbp251dw Firmware
  • Lbp654cdw Firmware
  • Lbp214dw
  • Lbp1238
  • 1435if\+
  • Mf624cdw Firmware
  • Mf729cdw
  • Mf741cdw
  • Mf741cdw Firmware
  • Mf429dw Firmware
  • Mf746cdw
  • Lbp226dw Firmware
  • Lbp622cdw
  • Mf624cdw
  • Wg7250z
  • Lbp228dw Firmware
  • Mf445dw
  • Lbp227dw
  • Ir1435i
  • Mf820cdn
  • Mf416dw Firmware
  • Mf8280cw Firmware
  • 1435p\+ Firmware
  • Mf419dw Firmware
  • Wg7250f
  • Lbp228dw
  • Lbp237dw Firmware
  • Mf451dw Firmware
  • Mf1127c Firmware
  • Mf1643i Ii Firmware
  • Wg7250f Firmware
  • Mf743cdw Firmware
  • Lbp1127c
  • Mf6180dw Firmware
  • Mf632cdw Firmware
  • D1650 Firmware
  • Mf733cdw Firmware
  • Lbp253dw Firmware
  • D1520
  • Mf452dw Firmware
  • Wg7240 Firmware
  • Mf726cdw
  • Lbp654cdw
  • Mf6180dw
  • Mf414dw
  • Mf810cdn
  • Ir1643i
  • Mf1238 Ii
  • Mf449dw
  • Lbp226dw
  • Lbp236dw Firmware
  • Mf445dw Firmware
  • Mf449dw Firmware
  • Mf1238 Ii Firmware
  • Lbp1238 Firmware
  • Mf543dw
  • Mf634cdw Firmware
  • Mf820cdn Firmware
  • Mf453dw
  • 1435i\+
  • Mf416dw
  • Lbp237dw
  • Mf8580cdw Firmware
  • 1435p
  • Wg7250z Firmware
  • Mf642cdw
  • Lbp251dw
  • Lbp253dw
  • Ir1435i Firmware
  • 1435p\+
  • Mf424dw
  • D1620
  • 1435if\+ Firmware
  • Mf644cdw
  • D1550
  • Lbp612cdw
  • Mf451dw
  • Mf6160dw Firmware
  • Mf735cdw
  • Mf1643if Ii
  • Lbp664cdw
  • Lbp1238 Ii Firmware
  • Mf426dw
  • Mf6160dw
  • Mf746cdw Firmware
  • Lbp236dw
  • Mf8280cw
  • Lbp664cdw Firmware
  • Mf429dw
  • Wg7250 Firmware
  • Lbp215dw Firmware
  • Mf743cdw
  • Mf543dw Firmware
  • Mf525dw
  • Lbp622cdw Firmware
  • Mf731cdw
  • Mf1643if Ii Firmware
  • 1435if Firmware
  • Ir1643i Firmware
  • Mf641cw Firmware
  • Mf641cw
  • Mf726cdw Firmware
  • Mf810cdn Firmware
  • 1435if
  • Mf8580cdw
  • Ir1643if
  • Mf745cdw
  • Lbp623cdw Firmware
  • Mf515dw Firmware
  • Mf515dw
  • Mf735cdw Firmware
  • 1435p Firmware
  • Mf628cdw
  • Mf1127c
  • Lbp215dw
  • Lbp227dw Firmware
  • Mf455dw Firmware
  • Mf414dw Firmware
  • Lbp1238 Ii
  • Wg7250
  • Lbp612cdw Firmware
  • Mf632cdw
  • D1550 Firmware
  • Mf745cdw Firmware
  • D1620 Firmware
  • Mf453dw Firmware
  • Mf419dw
  • Lbp1127c Firmware
  • Ir1643if Firmware
  • Mf426dw Firmware
  • Mf642cdw Firmware
  • Mf644cdw Firmware
  • Mf448dw
  • Mf731cdw Firmware
  • Mf525dw Firmware
  • Lbp623cdw
  • Mf1643i Ii
  • D1650
  • Mf455dw
  • Mf424dw Firmware
  • Mf1238 Firmware
  • D1520 Firmware
  • Wg7240
  • Mf733cdw
  • Mf729cdw Firmware

Configuration 1 [-]

AND
cpe:2.3:o:canon:d1620_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:d1620:-:*:*:*:*:*:*:*

Configuration 2 [-]

AND
cpe:2.3:o:canon:d1650_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:d1650:-:*:*:*:*:*:*:*

Configuration 3 [-]

AND
cpe:2.3:o:canon:d1520_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:d1520:-:*:*:*:*:*:*:*

Configuration 4 [-]

AND
cpe:2.3:o:canon:d1550_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:d1550:-:*:*:*:*:*:*:*

Configuration 5 [-]

AND
cpe:2.3:o:canon:mf1127c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf1127c:-:*:*:*:*:*:*:*

Configuration 6 [-]

AND
cpe:2.3:o:canon:mf1238_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf1238:-:*:*:*:*:*:*:*

Configuration 7 [-]

AND
cpe:2.3:o:canon:mf1238_ii_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf1238_ii:-:*:*:*:*:*:*:*

Configuration 8 [-]

AND
cpe:2.3:o:canon:mf1643i_ii_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf1643i_ii:-:*:*:*:*:*:*:*

Configuration 9 [-]

AND
cpe:2.3:o:canon:mf1643if_ii_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf1643if_ii:-:*:*:*:*:*:*:*

Configuration 10 [-]

AND
cpe:2.3:o:canon:mf414dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf414dw:-:*:*:*:*:*:*:*

Configuration 11 [-]

AND
cpe:2.3:o:canon:mf416dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf416dw:-:*:*:*:*:*:*:*

Configuration 12 [-]

AND
cpe:2.3:o:canon:mf419dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf419dw:-:*:*:*:*:*:*:*

Configuration 13 [-]

AND
cpe:2.3:o:canon:mf515dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf515dw:-:*:*:*:*:*:*:*

Configuration 14 [-]

AND
cpe:2.3:o:canon:mf424dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf424dw:-:*:*:*:*:*:*:*

Configuration 15 [-]

AND
cpe:2.3:o:canon:mf426dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf426dw:-:*:*:*:*:*:*:*

Configuration 16 [-]

AND
cpe:2.3:o:canon:mf429dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf429dw:-:*:*:*:*:*:*:*

Configuration 17 [-]

AND
cpe:2.3:o:canon:mf525dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf525dw:-:*:*:*:*:*:*:*

Configuration 18 [-]

AND
cpe:2.3:o:canon:mf445dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf445dw:-:*:*:*:*:*:*:*

Configuration 19 [-]

AND
cpe:2.3:o:canon:mf448dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf448dw:-:*:*:*:*:*:*:*

Configuration 20 [-]

AND
cpe:2.3:o:canon:mf449dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf449dw:-:*:*:*:*:*:*:*

Configuration 21 [-]

AND
cpe:2.3:o:canon:mf543dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf543dw:-:*:*:*:*:*:*:*

Configuration 22 [-]

AND
cpe:2.3:o:canon:mf451dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf451dw:-:*:*:*:*:*:*:*

Configuration 23 [-]

AND
cpe:2.3:o:canon:mf452dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf452dw:-:*:*:*:*:*:*:*

Configuration 24 [-]

AND
cpe:2.3:o:canon:mf453dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf453dw:-:*:*:*:*:*:*:*

Configuration 25 [-]

AND
cpe:2.3:o:canon:mf455dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf455dw:-:*:*:*:*:*:*:*

Configuration 26 [-]

AND
cpe:2.3:o:canon:mf6160dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf6160dw:-:*:*:*:*:*:*:*

Configuration 27 [-]

AND
cpe:2.3:o:canon:mf6180dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf6180dw:-:*:*:*:*:*:*:*

Configuration 28 [-]

AND
cpe:2.3:o:canon:mf624cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf624cdw:-:*:*:*:*:*:*:*

Configuration 29 [-]

AND
cpe:2.3:o:canon:mf628cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf628cdw:-:*:*:*:*:*:*:*

Configuration 30 [-]

AND
cpe:2.3:o:canon:mf632cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf632cdw:-:*:*:*:*:*:*:*

Configuration 31 [-]

AND
cpe:2.3:o:canon:mf634cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf634cdw:-:*:*:*:*:*:*:*

Configuration 32 [-]

AND
cpe:2.3:o:canon:mf641cw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf641cw:-:*:*:*:*:*:*:*

Configuration 33 [-]

AND
cpe:2.3:o:canon:mf642cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf642cdw:-:*:*:*:*:*:*:*

Configuration 34 [-]

AND
cpe:2.3:o:canon:mf644cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf644cdw:-:*:*:*:*:*:*:*

Configuration 35 [-]

AND
cpe:2.3:o:canon:mf726cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf726cdw:-:*:*:*:*:*:*:*

Configuration 36 [-]

AND
cpe:2.3:o:canon:mf729cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf729cdw:-:*:*:*:*:*:*:*

Configuration 37 [-]

AND
cpe:2.3:o:canon:mf731cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf731cdw:-:*:*:*:*:*:*:*

Configuration 38 [-]

AND
cpe:2.3:o:canon:mf733cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf733cdw:-:*:*:*:*:*:*:*

Configuration 39 [-]

AND
cpe:2.3:o:canon:mf735cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf735cdw:-:*:*:*:*:*:*:*

Configuration 40 [-]

AND
cpe:2.3:o:canon:mf741cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf741cdw:-:*:*:*:*:*:*:*

Configuration 41 [-]

AND
cpe:2.3:o:canon:mf743cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf743cdw:-:*:*:*:*:*:*:*

Configuration 42 [-]

AND
cpe:2.3:o:canon:mf745cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf745cdw:-:*:*:*:*:*:*:*

Configuration 43 [-]

AND
cpe:2.3:o:canon:mf746cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf746cdw:-:*:*:*:*:*:*:*

Configuration 44 [-]

AND
cpe:2.3:o:canon:mf810cdn_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf810cdn:-:*:*:*:*:*:*:*

Configuration 45 [-]

AND
cpe:2.3:o:canon:mf820cdn_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf820cdn:-:*:*:*:*:*:*:*

Configuration 46 [-]

AND
cpe:2.3:o:canon:mf8280cw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf8280cw:-:*:*:*:*:*:*:*

Configuration 47 [-]

AND
cpe:2.3:o:canon:mf8580cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:mf8580cdw:-:*:*:*:*:*:*:*

Configuration 48 [-]

AND
cpe:2.3:o:canon:lbp1127c_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp1127c:-:*:*:*:*:*:*:*

Configuration 49 [-]

AND
cpe:2.3:o:canon:lbp1238_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp1238:-:*:*:*:*:*:*:*

Configuration 50 [-]

AND
cpe:2.3:o:canon:lbp1238_ii_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp1238_ii:-:*:*:*:*:*:*:*

Configuration 51 [-]

AND
cpe:2.3:o:canon:lbp214dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp214dw:-:*:*:*:*:*:*:*

Configuration 52 [-]

AND
cpe:2.3:o:canon:lbp215dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp215dw:-:*:*:*:*:*:*:*

Configuration 53 [-]

AND
cpe:2.3:o:canon:lbp226dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp226dw:-:*:*:*:*:*:*:*

Configuration 54 [-]

AND
cpe:2.3:o:canon:lbp227dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp227dw:-:*:*:*:*:*:*:*

Configuration 55 [-]

AND
cpe:2.3:o:canon:lbp228dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp228dw:-:*:*:*:*:*:*:*

Configuration 56 [-]

AND
cpe:2.3:o:canon:lbp236dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp236dw:-:*:*:*:*:*:*:*

Configuration 57 [-]

AND
cpe:2.3:o:canon:lbp237dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp237dw:-:*:*:*:*:*:*:*

Configuration 58 [-]

AND
cpe:2.3:o:canon:lbp251dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp251dw:-:*:*:*:*:*:*:*

Configuration 59 [-]

AND
cpe:2.3:o:canon:lbp253dw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp253dw:-:*:*:*:*:*:*:*

Configuration 60 [-]

AND
cpe:2.3:o:canon:lbp612cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp612cdw:-:*:*:*:*:*:*:*

Configuration 61 [-]

AND
cpe:2.3:o:canon:lbp622cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp622cdw:-:*:*:*:*:*:*:*

Configuration 62 [-]

AND
cpe:2.3:o:canon:lbp623cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp623cdw:-:*:*:*:*:*:*:*

Configuration 63 [-]

AND
cpe:2.3:o:canon:lbp654cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp654cdw:-:*:*:*:*:*:*:*

Configuration 64 [-]

AND
cpe:2.3:o:canon:lbp664cdw_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:lbp664cdw:-:*:*:*:*:*:*:*

Configuration 65 [-]

AND
cpe:2.3:o:canon:ir1435i_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:ir1435i:-:*:*:*:*:*:*:*

Configuration 66 [-]

AND
cpe:2.3:o:canon:1435if_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:1435if:-:*:*:*:*:*:*:*

Configuration 67 [-]

AND
cpe:2.3:o:canon:1435p_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:1435p:-:*:*:*:*:*:*:*

Configuration 68 [-]

AND
cpe:2.3:o:canon:1435i\+_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:1435i\+:-:*:*:*:*:*:*:*

Configuration 69 [-]

AND
cpe:2.3:o:canon:1435if\+_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:1435if\+:-:*:*:*:*:*:*:*

Configuration 70 [-]

AND
cpe:2.3:o:canon:1435p\+_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:1435p\+:-:*:*:*:*:*:*:*

Configuration 71 [-]

AND
cpe:2.3:o:canon:ir1643i_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:ir1643i:-:*:*:*:*:*:*:*

Configuration 72 [-]

AND
cpe:2.3:o:canon:ir1643if_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:ir1643if:-:*:*:*:*:*:*:*

Configuration 73 [-]

AND
cpe:2.3:o:canon:wg7240_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:wg7240:-:*:*:*:*:*:*:*

Configuration 74 [-]

AND
cpe:2.3:o:canon:wg7250_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:wg7250:-:*:*:*:*:*:*:*

Configuration 75 [-]

AND
cpe:2.3:o:canon:wg7250f_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:wg7250f:-:*:*:*:*:*:*:*

Configuration 76 [-]

AND
cpe:2.3:o:canon:wg7250z_firmware:-:*:*:*:*:*:*:*
cpe:2.3:h:canon:wg7250z:-:*:*:*:*:*:*:*
References
Link Resource
https://www.usa.canon.com/support/canon-product-advisories/canon-laser-printer-inkjet-printer-and-small-office-multifunctional-printer-measure-against-buffer-overflow Vendor Advisory
https://www.zerodayinitiative.com/advisories/ZDI-22-515/ Third Party Advisory VDB Entry
History

No history.

cve-icon MITRE Information

Status: PUBLISHED

Assigner: zdi

Published: 2023-03-28T00:00:00

Updated: 2023-03-28T00:00:00

Reserved: 2022-02-08T00:00:00

Link: CVE-2022-24673

JSON object: View

cve-icon NVD Information

Status : Analyzed

Published: 2023-03-28T19:15:10.793

Modified: 2023-04-03T18:52:14.543

Link: CVE-2022-24673

JSON object: View

cve-icon Redhat Information

No data.

CWE