CVE-2022-23968 Devices on specific versions of firmware before 2022-01-26 can be bricked if they're exposed to a malicious TIFF file.

CVE-2022-23968 Devices on specific versions of firmware before 2022-01-26 can be bricked if they're exposed to a malicious TIFF file.

The vendor then issued a second statement on 2022-02-07 that "the latest versions of firmware are NOT vulnerable to this issue." VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. Affected firmware versions include xx.42.01 and xx.50.61. NOTE: the 2022-01-24 Neosmart article included "believed to affect all previous and later versions as of the date of this posting" but a 2022-01-26 vendor statement reports "the latest versions of firmware are not vulnerable to this issue."

The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices.

Dependencies and How to Find Them

The following dependency list includes devices that are believed to be affected by CVE-2022-23968 and the latest versions of firmware are NOT vulnerable to this issue.
Medis Device:
Dependencies:
Neosmart:
Dependencies:
VersaLink:
Dependencies:

Vulnerability Overview:

The vulnerability is in the way that firmware uploads images to the Image Directory on a VersaLink device. If a user has chosen the "Directory" or "Dir" option for the Image Directory, the firmware uploads all TIFF files with no encryption. This vulnerability affects all VersaLink devices on specific versions of firmware. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. VersaLink devices may be vulnerable to this issue on specific versions of firmware. The vendor recommends not using TIFF files with the Image Directory set to "Directory" or "Dir" for these VersaLink devices. The vendor has not confirmed which VersaLink devices are vulnerable, but the VersaLink devices have a history of being used in enterprise facilities and often connect to a proprietary network where the firmware version can be determined. Affected firmware versions include xx.42.01 and xx.50.61

References

Subscribe to CVE.news
Don’t miss out on the latest issues. Sign up now to get access to the library of members-only issues.
jamie@example.com
Subscribe