Notification about the vulnerability for RSA key in our multi-function printers and single-function printers

March 2, 2022
March 14, 2022
March 22, 2022

Dear Customers,

We would like to thank you for your continuous support to Fujifilm ( former Fuji Xerox) products.

A potential vulnerability was found in the cryptographic module used by our multi-function printers and single-function printers listed in the table below. We recommend customers to check if your printer falls under the list and is affected by this vulnerability.

As of now, there are no cases reported on this vulnerability. Listed below are some measures that can be applied immediately to your printer to reduce the impact.

Affected models and the status of fixed firmware

The models listed below are affected by this vulnerability. Firmware versions listed below DO NOT have this vulnerability.

Affected models Fixed firmware version
(As of March 1 2022)
Apeos C7070 / C6570 / C5570 / C4570 / C3570 / C3070 /
C7070 G / C6570 G / C5570 G / C4570 G / C3570 G / C3070 G
1.1.7 Or later
Apeos C328 df / C328 dw / C325 dw / C325 z 202112062053 Or later
Apeos C8180 / C7580 / C6580 1.1.6 Or later
ApeosPort 3560 / 3060 / 2560 / 3560 G / 3060 G / 2560 G 1.60.9 Or later
ApeosPort 5570 / 4570 / 5570 G / 4570 G 1.60.9 Or later
ApeosPort C3060 / C2560 / C2060 / C3060 G / C2560 G / C2060 G 1.60.9 Or later
ApeosPort C7070 / C6570 / C5570 / C4570 / C3570 / C3070 /
C7070 G / C6570 G / C5570 G / C4570 G / C3570 G / C3070 G
1.60.9 Or later
ApeosPort Print C5570 1.60.9 Or later
ApeosPort-VII 5021 / P4021/ 4021 1.60.9 Or later
ApeosPort-VII CP4421 / C4421/ C3321 1.60.9 Or later
ApeosPort-VII C7773 / C6673 / C5573 / C4473 / C3373 / C3372 / C2273 1.60.2 Or later
ApeosPort-VII C7788 / C6688 / C5588 1.60.1 Or later
ApeosPro C810 / C750 / C650 1.1.6 Or later
ApeosPrint C328 / C328 dw / C325 dw 202112062117 Or later
DocuCentre-VII C7773 / C6673 / C5573 / C4473 / C3373 / C3372 / C2273 1.60.2 Or later
DocuCentre-VII C7788 / C6688 / C5588 1.60.1 Or later
DocuPrint 4405 d / 4408 d / 3505 d / 3508 d / 3205 d / 3208 d 1.57.5 Or later
DocuPrint C3555 d / C2555 d 1.57.6 Or later
PrimeLink C9070 / C9065 1.145.1 Or later

Details of vulnerability

This vulnerability was found in a cryptographic module from a 3rd party used for the multi-function printers and single-function printers, and the secret key of RSA cryptography used for SSL/TLS encrypted connection can be guessed. If the vulnerability is exploited, there is a possibility that the contents of the connection with the affected devices can be revealed or tampered.

Workaround Measures

In order to avoid the security breach, please apply either (or both) of the measures below, until the fixed firmware is released.

  1. Recreate “Self-Signed Certificates” or “Certificate Signing Request (CSR)” after either of the setting below is completed. You can recreate certificates via CentreWare Internet Service or Internet Service.
    • Enable FIPS 140-2 certification mode
      ApeosPort-VII/DocuCentre-VII series and Apeos/ApeosPro/ApeosPrint series support this feature.
    • Select “ECDSA/SHA-256”, “ECDSA/SHA-384” or “ECDSA/SHA-512” from “Type of digital signing” as a setting of elliptic curve cryptography.
  2. Please use your multi-function printers or single-function printers within the network protected by firewall, etc.
  3. If your multi-function printer or single-function printer connection is open to the Internet, we encourage the use of the “restricted IP addresses” function in your security firewall or use a VPN connection.

Eliminating the Vulnerability

The latest firmware to fix the vulnerability is released.

However, before the firmware is released, please apply the Workaround Measures listed above to reduce the impact.

After the firmware has been upgraded, customers must recreate “Self-Signed Certificates” and “Certificate Signing Request (CSR)”. Steps for recreating is described in the Appendix

For customers who have accepted the automatic firmware upgrade with the EP-BB maintenance contract, the firmware upgrade will be done by the EP-BB function after the release of the fixed firmware.

For other customers, please contact FUJIFILM Business Innovation via the support website at https://support-fb.fujifilm.com/

Caution

It is important that customers recreate “Self-Signed Certificates” and “Certificate Signing Request (CSR)” after the firmware is upgraded to strengthen the security. If you did not implement the “Self-Signed Certificates and “Certificate Signing Request (CSR)”, your devices might be exposed and impacted by the vulnerability (even after upgrading the firmware).

Related information

Please refer to the below reference sites about details of the security risk in public.

Appendix

  1. Please access your multi-function printer’s or single-function printer’s CWIS (CentreWare Internet Service) via a Web Browser using device IP address, as an Administrator.
  2. Once you are logged in, please click on the “System” tab. Please refer to sample image below.

  3. Please scroll down and click on the “Certificates” option. Please refer to the sample image below.

  4. Please click on “Certificate Settings” and click on “Create” dropdown list. An option to “Create Certificate Signing Request (CSR)” will be available for your selection

  5. Please note that the sample images are from the Apeos C6580, there may be a difference on the CentreWare Internet Service) user interface depending on your model.

Contact

Please visit the FUJIFILM Business Innovation support website for more details: