CVE-2024-11344 Overview
CVE-2024-11344 is a type confusion vulnerability [CWE-843] in the Postscript interpreter used across multiple Lexmark devices. An attacker can leverage the flaw to execute arbitrary code on affected printers and multifunction devices. The issue is network-reachable and requires no authentication or user interaction, making exposed print services a viable entry point into enterprise environments.
Lexmark published a security advisory describing the affected models and firmware. The vulnerability was published to the National Vulnerability Database (NVD) on February 13, 2025.
Critical Impact
A remote, unauthenticated attacker can send a crafted Postscript document to the interpreter and trigger arbitrary code execution on the device.
Affected Products
- Lexmark devices running affected firmware with the vulnerable Postscript interpreter
- See the Lexmark Security Advisory for the complete list of impacted models and firmware versions
Discovery Timeline
- 2025-02-13 - CVE-2024-11344 published to NVD
- 2026-04-15 - Last updated in NVD database
Technical Details for CVE-2024-11344
Vulnerability Analysis
The vulnerability is a type confusion flaw [CWE-843] in the embedded Postscript interpreter that Lexmark devices use to parse print jobs. Postscript is a stack-based, Turing-complete page description language. Interpreters track the runtime type of each object on the operand stack and dispatch operators based on that type.
When an interpreter accesses an object as one type while it was allocated as another, the resulting memory access bypasses safety assumptions baked into the operator implementation. An attacker who controls the input stream can stage objects so that a later operator reads or writes memory using a confused type, producing a primitive sufficient for arbitrary code execution on the device.
Because Postscript jobs reach printers through standard print channels, exploitation does not require credentials or local access. The affected devices typically run with elevated privileges on the printer firmware, giving attackers a foothold inside the network with persistent access to print traffic.
Root Cause
The root cause is improper type checking inside the Postscript interpreter. The interpreter trusts type metadata that an attacker-supplied document can influence, allowing operators to act on objects that do not match the expected type signature. The result is an exploitable memory corruption primitive triggered through legitimate Postscript constructs.
Attack Vector
The attack vector is network-based. An attacker submits a malicious Postscript document to the printer over any service that hands the document to the interpreter, including LPD on TCP/515, IPP on TCP/631, raw print on TCP/9100, or web-based submission endpoints. No authentication or user interaction is required. Exploitation results in arbitrary code execution within the device firmware.
No public proof-of-concept exploit is available, and the vulnerability is not listed in the CISA Known Exploited Vulnerabilities catalog. Refer to the Lexmark Security Advisory for vendor-supplied technical details.
Detection Methods for CVE-2024-11344
Indicators of Compromise
- Unexpected Postscript jobs submitted from non-print-server hosts to printer ports TCP/515, TCP/631, or TCP/9100
- Outbound network connections initiated by printer firmware to external hosts after job processing
- Printer reboots, service crashes, or firmware integrity warnings following receipt of large or malformed Postscript jobs
Detection Strategies
- Inspect print traffic at the network layer for oversized or malformed Postscript documents containing unusual operator sequences
- Baseline normal print sources and alert on direct device submissions that bypass managed print servers
- Correlate printer SNMP and syslog events for repeated interpreter errors or unexpected restarts
Monitoring Recommendations
- Forward printer syslog, SNMP traps, and authentication events to a centralized SIEM or data lake for analysis
- Monitor egress traffic from the printer VLAN and flag any non-standard destinations or protocols
- Track firmware versions across the fleet and alert when a device drops below the patched baseline published by Lexmark
How to Mitigate CVE-2024-11344
Immediate Actions Required
- Identify all Lexmark devices in the environment and cross-reference firmware against the affected list in the Lexmark advisory
- Apply Lexmark firmware updates as soon as they are validated in a test group
- Restrict printer management and print submission to dedicated print servers and management VLANs
- Block direct printer access from end-user and guest networks at the firewall
Patch Information
Lexmark has published remediation guidance and firmware updates through its security advisory portal. Consult the Lexmark Security Advisory for the firmware versions that address CVE-2024-11344 and apply the corresponding update for each model.
Workarounds
- Disable the Postscript interpreter on devices where Postscript is not required, using the embedded web server or device management console
- Restrict inbound access to print services (TCP/515, TCP/631, TCP/9100) using network access control lists so only authorized print servers can submit jobs
- Place printers on a segmented VLAN with egress filtering that blocks arbitrary outbound connections from device firmware
# Example: restrict printer ingress to an authorized print server only
iptables -A FORWARD -p tcp -s <print_server_ip> -d <printer_ip> --dport 9100 -j ACCEPT
iptables -A FORWARD -p tcp -d <printer_ip> --dport 9100 -j DROP
iptables -A FORWARD -p tcp -d <printer_ip> --dport 515 -j DROP
iptables -A FORWARD -p tcp -d <printer_ip> --dport 631 -j DROP
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
