CVE-2022-26320

high-risk
Published 2022-03-14

The Rambus SafeZone Basic Crypto Module before 10.4.0, as used in certain Fujifilm (formerly Fuji Xerox) devices before 2022-03-01, Canon imagePROGRAF and imageRUNNER devices through 2022-03-14, and potentially many other devices, generates RSA keys that can be broken with Fermat's factorization method. This allows efficient calculation of private RSA keys from the public key of a TLS certificate.

Do I need to act?

-
0.52% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
9
CVSS 9.1/10 Critical
NETWORK / LOW complexity

Affected Products (20)

Safezone Basic Crypto Module
Apeos C7070 Firmware
Apeos C6570 Firmware
Apeos C5570 Firmware
Apeos C4570 Firmware
Apeos C3570 Firmware
Apeos C3070 Firmware
Apeos C7070 G Firmware
Apeos C6570 G Firmware
Apeos C5570 G Firmware
Apeos C4570 G Firmware
Apeos C3570 G Firmware
Apeos C3070 G Firmware
Apeos C328 Df Firmware
Apeos C328 Dw Firmware
Apeos C325 Dw Firmware
Apeos C325 Z Firmware
Apeos C8180 Firmware
Apeos C7580 Firmware
Apeos C6580 Firmware

Affected Vendors

Canon Fujifilm Rambus

References (9)

Third Party Advisory https://fermatattack.secvuln.info
Third Party Advisory https://global.canon/en/support/security/index.html
https://web.archive.org/web/20220922042721/https://safezoneswupdate.com/
Mitigation https://www.fujifilm.com/fbglobal/eng/company/news/notice/2022/0302_rsakey_annou...
https://www.rambus.com/security/response-center/advisories/rmbs-2021-01/
Third Party Advisory https://fermatattack.secvuln.info
Third Party Advisory https://global.canon/en/support/security/index.html
https://safezoneswupdate.com
Mitigation https://www.fujifilm.com/fbglobal/eng/company/news/notice/2022/0302_rsakey_annou...
62
/ 100
high-risk
Severity 31/34 · Critical
Exploitability 2/34 · Minimal
Exposure 29/34 · Critical