CVE-2023-23560: Criticial server-side request forgery flaw in Lexmark products

Recently, Lexmark released software to remediate two security vulnerabilities affecting certain of its products that could expose users to remote code execution and brute force attacks.

A of the flaws is critical, carrying a severity rating of 9.0 out of a maximum of 10, the manufacturers of laser printers and imaging products noted in its first security bulletin for 2023.

Tracked as CVE-2023-23560, Lexmark products are vulnerable to server-side request forgery, caused by improper input validation in the Web Services feature. A remote attacker could exploit this vulnerability to conduct an SSRF attack, allowing the attacker to execute arbitrary code on the system.

“A Server-Side Request Forgery (SSRF) vulnerability has been identified in the Web Services feature of newer Lexmark devices. This vulnerability can be leveraged by an attacker to gain arbitrary code execution on the device,” the company wrote in its advisories.

Besides releasing new firmware to address the issues, Lexmark has also provided workarounds to mitigate them until the patches can be applied.

While there is no indication that the CVE-2023-23560 bug has been exploited in the wild, proof of concept code has been publicly published.

A second vulnerability relates to bypass protections on the device (CVE-2023-22960, CVSS score: 5.3) that could be weaponized by an unauthenticated attacker to bypass the brute-force protection, allowing unrestricted attempts to guess a local account’s credentials. Panagiotis Chartas (t3l3machus) has been credited for reporting this flaw.