A critical buffer overflow vulnerability exists in the firmware of multiple Canon Small Office Multifunction Printers and Laser Printers. An attacker on the same network can send a specially crafted XPS document to an affected device, potentially causing it to crash or allowing the attacker to execute arbitrary code, leading to a complete compromise of the device.

The vulnerability is a buffer overflow that occurs during the XML processing of an XPS (XML Paper Specification) file. The printer's firmware fails to properly validate the size of data within the submitted XPS file, allowing an attacker to write data beyond the intended buffer's boundaries. An attacker on the local network segment can exploit this by sending a malicious XPS print job to a vulnerable printer, which could overwrite critical memory areas, leading to a denial-of-service (device crash) or, more severely, remote code execution (RCE) with the privileges of the device's firmware.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation could have a severe impact on the organization. An attacker gaining arbitrary code execution on a printer could access sensitive information from print, scan, or copy jobs, including confidential documents, financial data, and personal information. The compromised printer could also be used as a pivot point to launch further attacks against the internal network, bypassing perimeter security controls. At a minimum, exploitation could lead to a denial-of-service condition, rendering printers unavailable and causing significant disruption to business operations.

Immediate Action: Identify all affected printer models listed in the "Affected Versions" section within the environment. Immediately update the firmware on these devices to a version higher than v06.02, as recommended by the vendor. After patching, review device access and print job logs for any anomalous activity that may have occurred prior to the update.

Proactive Monitoring: Monitor network traffic for unusual or large XPS files being sent to printers from non-standard sources. Implement logging for all print jobs and regularly review printer system logs for unexpected reboots, crashes, or error messages related to file processing. Configure network intrusion detection systems (NIDS) to alert on signatures associated with buffer overflow attempts against printer network ports.

Compensating Controls: If immediate patching is not feasible, implement network segmentation by placing all printers on a separate, restricted VLAN. Use strict Access Control Lists (ACLs) to ensure that only authorized print servers and management workstations can communicate with the printers. If the functionality is not required for business operations, consider disabling the XPS printing feature on the devices through their administrative interface.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of remote code execution, this vulnerability poses a significant threat to the organization. We strongly recommend that all affected Canon printer models be identified and have their firmware updated immediately. This remediation activity should be treated with the highest priority. In parallel, organizations should implement compensating controls, such as network segmentation for printers, to limit the attack surface and mitigate risk until all devices are patched.