Vulnerabilities > CVE-2022-23968 - Infinite Loop vulnerability in Xerox Versalink Firmware

CVSS 7.8 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

NONE

Integrity impact

NONE

Availability impact

COMPLETE

network

low complexity

xerox

CWE-835

NVD

Published: 2022-01-26

Updated: 2022-02-03

Summary

Xerox VersaLink devices on specific versions of firmware before 2022-01-26 allow remote attackers to brick the device via a crafted TIFF file in an unauthenticated HTTP POST request. There is a permanent denial of service because image parsing causes a reboot, but image parsing is restarted as soon as the boot process finishes. However, this boot loop can be resolved by a field technician. The TIFF file must have an incomplete Image Directory. Affected firmware versions include xx.42.01 and xx.50.61. NOTE: the 2022-01-24 NeoSmart article included "believed to affect all previous and later versions as of the date of this posting" but a 2022-01-26 vendor statement reports "the latest versions of firmware are not vulnerable to this issue."

Vulnerable Configurations

Part	Description	Count
OS	Xerox Xerox Versalink Firmware *	1
Hardware	Xerox Xerox Versalink B400 - Xerox Versalink B405 - Xerox Versalink B600 - Xerox Versalink B610 - Xerox Versalink B7025 - Xerox Versalink B7030 - Xerox Versalink B7035 - Xerox Versalink C400 - Xerox Versalink C405 - Xerox Versalink C500 - Xerox Versalink C505 - Xerox Versalink C600 - Xerox Versalink C605 - Xerox Versalink C7000 - Xerox Versalink C7020 - Xerox Versalink C7025 - Xerox Versalink C7030 - Xerox Versalink C8000 - Xerox Versalink C8000W - Xerox Versalink C9000 -	20

Common Weakness Enumeration (CWE)

CWE-835 - Loop with Unreachable Exit Condition ('Infinite Loop')

Summary

Vulnerable Configurations

Common Weakness Enumeration (CWE)

References