This page provides information on new or recently updated security advisories for Lexmark products.
Spectre and Meltdown Vulnerabilities (CVE-2017-5753, CVE-2017-5715, and CVE-2017-5754)
Some Lexmark products may contain CPUs that are affected by the speculative execution vulnerabilities known as Spectre (CVE-2017-5753 and CVE-2017-5715) and Meltdown (CVE-2017-5754) . However, there is no known path to exploit these vulnerabilities on a Lexmark device.
Orpheus' Lyre Vulnerability (CVE-2017-11103)
A vulnerability in Heimdal (an implementation of Kerberos 5) before release 7.4 allows remote attackers to impersonate services with Orpheus' Lyre attacks because it obtains service-principal names in a way that violates the Kerberos 5 protocol specification.
WannaCry Ransomware Vulnerability ( CVE-2017-0143 )
Lexmark devices are not vulnerable to WannaCry ransomware or to the following associated exploits: EternalBlue, EternalSynery, EternalRomance, EternalChampion. This attack propagates through Microsoft SMBv1 servers.
A vulnerability was discovered in the XLS parsing function that provides the potential for an attacker to execute arbitrary code on an affected devices.
Lexmark has learned of three separate vulnerabilities in Lexmark Perceptive Document Filters that, under certain circumstances, could lead to arbitrary code execution.
Under certain circumstances some Lexmark printers will fail to erase stored information when requested.
Markvision Enterprise contains a vulnerability that allows for unauthenticated remote execution of commands on the MVE server.
Under certain circumstances during initialization, some Lexmark printers have a race condition that allows unauthenticated access to device functions.
Logjam Vulnerability in Diffie-Hellman Key Exchange (CVE-2015-4000)
Lexmark has learned of a vulnerability on some implementations of the SSL/TLS protocol that allows an attacker to compromise the communicators over that protocol.
FREAK: Factoring Attack on RSA-Export Vulnerability (CVE-2015-0204)
Lexmark has learned of a vulnerability in some implementations of the SSL/TLS protocol that allows an attacker to compromise communications over that protocol.
GHOST Glibc Buffer Overflow Vulnerability (CVE-2015-0235)
Lexmark has learned of a vulnerability in the "glibc" library that provides the potential for an attacker to execute arbitrary code on an affected system.
Markvision Input Validation Vulnerability (CVE-2014-9375)
Markvision Enterprise contains a vulnerability that allows uploaded ZIP files to be unpacked into arbitrary locations.
Markvision Remote Code Execution Vulnerability (CVE-2014-8741)
MarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to upload files and execute arbitrary commands with the privilege of the MarkVision Enterprise application.
Markvision Input Validation Vulnerability (CVE-2014-8742)
MarkVision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to download arbitrary files from the MarkVision Enterprise platform.
POODLE Vulnerability (CVE-2014-3566)
Lexmark has learned of a vulnerability in the SSLv3 protocol which allows an attacker with the ability to intercept and insert traffic (Man-In-The-Middle) to decrypt a portion of the encrypted communication.
Bash "shellshock" Vulnerabilities (CVE-2014-6271)
Lexmark has learned of a series of vulnerabilities in the open-source bash shell program that allows an attacker to execute arbitrary commands on a vulnerable system. No Lexmark devices or software products are affected by this vulnerability.
Open SSL CCS Injection Vulnerability (CVE-2014-0224)
Lexmark has learned of a group of vulnerabilities in certain versions of the open-source OpenSSL library that can be exploited by a Man-In-The-Middle attack. Multiple Lexmark products are affected by this vulnerability.
Open SSL Heartbleed Vulnerability (CVE-2014-0160)
Lexmark has learned of a vulnerability in certain versions of the open-source OpenSSL Library that allows unauthenticated access to private memory of printer devices and computer systems. Multiple Lexmark products are affected by this vulnerability.
HTML injection vulnerability (CVE-2013-6033)
Some Lexmark Printers do not properly sanitize user supplied values for the "Contact" and "Location" settings. This vulnerability can be exploited to execute arbitrary HTML or script code in the browser of anyone viewing the devices embedded web server.
Password Reset vulnerability (CVE-2013-6032)
Some Lexmark Printers and MarkNet devices will fail to authenticate a specially crafted password reset request. This vulnerability can be exploited to bypass authentication configured on the device.
Markvision Unauthorized access vulnerability (CVE-2013-3055)
Markvision Enterprise contains a vulnerability that allows an unauthenticated remote attacker to access and modify configuration data and fleet management information, in addition to executing commands within the application.
Information leakage vulnerability (CVE-2011-4538)
Some Lexmark Multifunction Devices include sensitive configuration values in exported settings files. This vulnerability can be exploited to enable unauthorized disclosure of device configuration information.
Email shortcut vulnerability Security Vulnerability (CVE-2011-3269)
Some Lexmark Multifunction Devices allow the creation of email shortcuts that contain hidden recipients. This vulnerability can be exploited to enable unauthorized personnel to receive a covert copy of email sent by the device using the modified shortcut.
PJL Remote Buffer Overflow Security Vulnerability (CVE-2010-0619)
Some Lexmark Laser Printers contain remote buffer overflow vulnerabilities in their PJL processing functionality. These vulnerabilities could potentially lead to remote code execution,but no malicious use of this vulnerability is known.
FTP Denial of Service Security Vulnerability (CVE-2010-0618)
Some Lexmark Printers and MarkNet devices contain denial of service vulnerabilities in the FTP service. These vulnerabilities can be exploited with repeated aborted FTP connections to the printer, causing the printer to ignore incoming TCP network connections to multiple services.
HTTP Denial of service vulnerability (CVE-2010-0101)
Some Lexmark Printers and MarkNet Devices contain a denial of service vulnerability in their HTTP service. This vulnerability can be exploited to crash the printer.
SSL Denial of service vulnerability(CVE-2004-0079)
Some Lexmark Printers and MarkNet Devices contain a denial of service vulnerability in their SSL/TLS processing. This vulnerability can be exploited to crash the printer.