The vendor then issued a second statement on 2022-02-07 that "the latest versions of firmware are NOT vulnerable to this issue." VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. Affected firmware versions include xx.42.01 and xx.50.61. NOTE: the 2022-01-24 Neosmart article included "believed to affect all previous and later versions as of the date of this posting" but a 2022-01-26 vendor statement reports "the latest versions of firmware are not vulnerable to this issue."
Vulnerable VersaLink device info
The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices.
Dependencies and How to Find Them
The following dependency list includes devices that are believed to be affected by CVE-2022-23968 and the latest versions of firmware are NOT vulnerable to this issue.
Medis Device:
Dependencies:
Neosmart:
Dependencies:
VersaLink:
Dependencies:
Vulnerability Overview:
The vulnerability is in the way that firmware uploads images to the Image Directory on a VersaLink device. If a user has chosen the "Directory" or "Dir" option for the Image Directory, the firmware uploads all TIFF files with no encryption. This vulnerability affects all VersaLink devices on specific versions of firmware. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. Affected firmware versions include xx.42.01 and xx.50.61
Timeline
Published on: 01/26/2022 06:15:00 UTC
Last modified on: 02/03/2022 15:46:00 UTC