Sharp MX-C300P / MX-C300PE / MX-C300PL (serv.man28) Service Manual / Technical Bulletin ▷ View online
Sharp Electronics (UK) Ltd., Document Systems Support
1/4
Date:
4th June 2014
Model:
See below
Ref.:
CCE-1317
Colour:
White
Page:
1 of 3
TECHNICAL BULLETIN
OPEN SSL VULNERABILITY
FIRMWARE RELEASE
FOR FIELD SUPPORT VERSION
FIRMWARE RELEASE
FOR FIELD SUPPORT VERSION
1. Model Name:
MX-2614N/3114N (Except for Russia)
MX-2615N/3115N (For USA)
MX-FR40U (Data Security Kit for MX-2614N/3114N/2615N/3115N)
MX-4140N/4141N/5140N/5141N
MX-FR42U (Data Security Kit for MX-4140N/4141N/5140N/5141N)
MX-M365N/M465N/M565N
MX-FR44U (Data Security Kit for MX-M365N/M465N/M565N)
MX-C250/C250E/C250F/C250FE/C300/C300A/C300E/C300F/C300W/C300WE
MX-C300P/C300PE/C300PL
2. Description:
New firmware to resolve the vulnerability of Open SSL on our digital Multifunction printers
listed above has been released.
Data can properly be protected by taking countermeasures (placing MFP within the firewall
etc.) described in [Appendix-1]. For the customer who are unable to do these
countermeasures due to circumstances beyond their control, please update the firmware to
this version.
Model Name
Target Version
Supported Version
MX-2614N/3114N (Except for Russia)
MX-2615N/3115N (For USA)
MX-2615N/3115N (For USA)
0600G200 or later
0600G2c0
MX-FR40U
(Data Security Kit for MX-2614N/3114N/2615N/3115N)
(Data Security Kit for MX-2614N/3114N/2615N/3115N)
0600Gd00 or later
0600Gdc0
MX-4140N/4141N/5140N/5141N
All
0201R2a0
MX-FR42U
(Data Security Kit for MX-4140N/4141N/5140N/5141N)
(Data Security Kit for MX-4140N/4141N/5140N/5141N)
All
0200Rda0
MX-M365N/M465N/M565N
All
0200o1d0
MX-FR44U
(Data Security Kit for MX-M565N/M465N/M365N)
(Data Security Kit for MX-M565N/M465N/M365N)
All
0200oca0
MX-C250/C250E/C250F/C250FE
MX-C300/C300A/C300E/C300F/C300W/C300WE
MX-C300/C300A/C300E/C300F/C300W/C300WE
All
0203E1b0
MX-C300P/C300PE/C300PL
All
0102Y1a0
* Other models of MFP or options than above are not affected.
Sharp Electronics (UK) Ltd., Document Systems Support
2/4
Required Operation after Updating the Firmware
Whether the MFP had already been attacked or not is not clear, since the private key of the MFP or
admin/user passwords can be stolen without any trace in such a case. To avoid information leak
using the stolen private key or illegal access using the stolen admin/user passwords, the following
operations are required:
1. Change admin and user passwords
Please enforce users to manage the new passwords properly and not to forget them.
2. Reissue SSL server certificate (not required for Neo MFP and Neo Printer)
The MFP SSL server certificate that was used before updating the firmware shall be revoked and
reissued.
When SSL certificate was used by default settings: Enter [Security Settings]-[SSL
Settings]-[Certificate Creation] from System Settings, enter appropriate information and click
“Submit”.
When CA-signed SSL certificate was introduced: Enter [Security Settings]-[SSL Settings]-[Make of
Certificate Signing Request(CSR)] from System Settings, enter appropriate information and click
“Execute”. Then send the created CSR to the CA. The CA signs a new certificate and sends it
back. Install the signed certificate from [Security Settings]-[SSL Settings]-[Installation of
Certificate]. Some major CAs offer free reissue of a certificate.
Sharp Electronics (UK) Ltd., Document Systems Support
3/4
[Appendix-1]
1. Summary of Vulnerability
Due to the bug existing to the specific version of OpenSSL which is software module of open-source
encrypted communication, the malicious attacker can illegally read the contents of data in the memory
of the communication partner.
Contents of the memory may include the secret key and the detail of communication on the server,
depending on the timing of reading.
2. Extent of impact with vulnerability when using our product/service
Following countermeasures will enable the c
ustomer’s information to be properly protected.
Please check the installation status/setting status.
■ When connecting from external device to Digital Malfunction Printer;
The information of Admin password of MFP or secret key used for SSL communication may illegally be
read by the attack of the malicious attacker. However, those information can be protected from the
unauthorized access from outside by placing MFP within the firewall.
■When connecting from MFP to the external server;
Please limit the communication only with the reliable server.
As for the access to the external website using Web Browsing Expansion Kit (MX-AM10), even though
the model is applicable to this vulnerability, it is not affected as the used software module is different.
Sharp Electronics (UK) Ltd., Document Systems Support
4/4
Display