Dear Customers,
We deeply appreciate your constant patronage to Develop products.
Multiple security vulnerabilities have been newly identified in the indicated models.
This advisory provides an overview of the issues and the recommended countermeasures.
Please note that, at the time of writing, there have been no confirmed security incidents globally resulting from the exploitation of these vulnerabilities.
Overview of the vulnerabilities
| Ref. ID | Vulnerabilities description | Ref web site |
|---|---|---|
| CVE-2017-9765 | Stack Buffer Overflow Vulnerability | Link |
| CVE-2024-2169 | Infinite Loop of Messages Between Servers | Link |
| CVE-2024-51977 | Possibility of information leakage in the printer | Link |
| CVE-2024-51978 | Possibility of Authentication Bypass | Link |
| CVE-2024-51979 | Possible Stack Overflow | Link |
| CVE-2024-51980 | Possibility of a forced TCP connection | Link |
| CVE-2024-51981 | Possibility of arbitrary HTTP request execution | Link |
| CVE-2024-51983 | External attacks can cause device to crash | Link |
| CVE-2024-51984 | Possibility of information leakage in the printer due to pass-back attacks | Link |
Affected Models and the countermeasure firmware
| Product name | Program name | Affected version | Fixed version |
|---|---|---|---|
| ineo 5020i | Main-Firmware | U2406280431(Ver R) or earlier | U2412241059 (Ver S)or later |
| Sub-Firmware | 1.13 or earlier | 1.15 or later | |
| ineo 5000i | Main-Firmware | 1.32 or earlier | 1.33 or later |
| Sub-Firmware | 1.13 or earlier | 1.15 or later | |
| ineo 4020i | Main-Firmware | U2406280431(Ver R)or earlier | U2412241059(Ver S)or later |
| Sub-Firmware | 1.13 or earlier | 1.15 or later | |
| ineo 4000i | Main-Firmware | 1.28 or earlier | 1.29 or later |
| Sub-Firmware | 1.13 or earlier | 1.15 or later |
Remediations
- Download the Firmware Update Tool from Drivers & Downloads and upgrade the firmware of your device.
-> Before proceeding, please refer to the attached Firmware Update Procedure guide. - If the default administrator password has not yet been changed, it is strongly recommended to update it to a complex and unique password immediately after the update.
You can download a complete guide for the firmware update procedure here:
Firmware Update Procedure Guide
Vulnerability Specific Recommendations
| Ref. ID | Mitigations |
|---|---|
| CVE-2017-9765 | Disable WSD feature. |
| CVE-2024-2169 | Disable TFTP. |
| CVE-2024-51977 | Upgrade to the latest firmware. (There is no workaround available.) |
| CVE-2024-51978 | Change the administrator password from the default value. |
| CVE-2024-51979 | Change the administrator password from the default value. |
| CVE-2024-51980 | Disable WSD feature. |
| CVE-2024-51981 | Disable WSD feature. |
| CVE-2024-51983 | Disable WSD feature. |
| CVE-2024-51984 | Disable WSD feature. |
General Security Recommendations
To ensure a secure operating posture for your multifunction devices, and to reduce exposure to the vulnerabilities described in this advisory, Develop strongly recommends applying the following configuration best practices:
- Avoid Direct Internet Exposure
Place devices behind firewalls and use private IP addressing. - Change Default Passwords
Change default credentials and implement strong passwords for administrative and network functions. - Use Strong Passwords for Services
Ensure strong credentials are configured for SMTP, LDAP, and any other integrated services. - Disable Unused Services
Turn off unused ports or protocols (specifically WSD & TFTP) to reduce attack surface. - Use Secure Protocols
Configure devices to use encrypted communications (e.g., HTTPS, LDAPS, IPPS) where supported. - Monitor Device Activity
Regularly review device logs and network traffic for suspicious behavior. - Enable Authentication Where Available
Use built-in user authentication features to prevent unauthorized access to device functions.
Enhancing the Security of Products and Services
Konica Minolta considers the security of its products and services to be an important responsibility and will continue to actively respond to incidents and vulnerabilities.
Enhancing the Security of Products and Services
Contact
Should you require further clarification or assistance with implementing the recommended measures or applying the relevant firmware update, please contact your authorized Develop service representative.