CVE-2021-44734

Vulnerability

The vulnerability (CVE-2021-44734) exists in the embedded HTTP server of Lexmark MC3224i printers, and likely other affected Lexmark devices through 2021-12-07. The flaw is a lack of proper input sanitization of a user-supplied string before it is used to write to a configuration file. This allows an attacker to inject arbitrary content that can be interpreted as code. Authentication is not required to trigger the vulnerable code path [1].

Exploitation

An unauthenticated attacker on the same network (network-adjacent) can send a specially crafted HTTP request to the printer's web configuration interface. The server fails to validate the user input, enabling the attacker to write arbitrary data to a configuration file. No user interaction is required. The specific flaw was demonstrated during Pwn2Own 2022 [1].

Impact

Successful exploitation allows an attacker to execute arbitrary code on the device in the context of the www-data user, resulting in a full compromise of confidentiality, integrity, and availability. The CVSS score is 8.8 (AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H) [1].

Mitigation

Lexmark has released security advisories for this vulnerability. Customers should update their printer firmware to the latest version provided by Lexmark. As of the publication date (2022-01-20), affected models include the Lexmark MC3224i. No workaround is available; applying the vendor-supplied patch is recommended [1][2].