A critical buffer overflow vulnerability exists in the firmware of multiple Canon Small Office Multifunction and Laser Printers. An attacker on the local network could send a malicious print job to an affected device, causing it to become unresponsive or allowing the attacker to execute arbitrary code, potentially leading to a complete compromise of the device and a foothold into the corporate network.

The vulnerability is a buffer overflow within the component responsible for processing the Font Program (fpgm) data in XPS (XML Paper Specification) fonts. An unauthenticated attacker on the same network segment can send a specially crafted XPS document to an affected printer. This can overwhelm the memory buffer allocated for font processing, leading to a denial-of-service (DoS) condition that crashes the device or, more critically, allowing for the execution of arbitrary code with the privileges of the printer's firmware.

This vulnerability is rated as critical severity with a CVSS score of 9.8. Successful exploitation poses a severe risk to the organization. An attacker could gain full control of a printer, enabling them to steal sensitive information from print, scan, or copy jobs, use the device as a pivot point to attack other systems on the internal network, or install persistent malware. A denial-of-service attack could disrupt essential business functions that rely on these multifunction devices, leading to productivity loss and operational downtime.

Immediate Action: Identify all affected printer models within the environment and update their firmware to the latest version provided by the vendor, which addresses this vulnerability. After patching, monitor the devices for any unusual behavior and review print job logs for any signs of failed or malicious exploitation attempts.

Proactive Monitoring: Monitor network traffic to printers, specifically looking for anomalies such as unusually large or malformed XPS print jobs. Configure and review printer syslogs for repeated crashes, unexpected reboots, or error messages related to font or document processing, which could indicate an attempted attack.

Compensating Controls: If patching cannot be performed immediately, isolate printers on a separate, restricted network segment (VLAN) with strict access control lists (ACLs) to limit communication to and from only trusted hosts. If not essential for business operations, consider disabling the XPS printing feature on the devices or blocking XPS-based print jobs at the network or print server level.

Public Exploit Available: false

Given the critical CVSS score of 9.8 and the risk of remote code execution on a common network device, this vulnerability must be addressed with extreme urgency. We strongly recommend that organizations immediately identify all affected Canon printers and apply the necessary firmware updates as a top priority. Due to the significant risk of network pivoting and data exfiltration, patching should not be delayed, even in the absence of active exploitation.