Several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard were discovered by security researchers.
The flaws are discovered by Alexander Bolshev and Timo Hirvonen, security reseachers at F-Secure. As the flaws date back to at least 2013, it is likely to have exposed a large number of users to cyberattacks for a notable amount of time.
HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.
The critical flaws include CVE-2021-39237 and CVE-2021-39238. The first one concerns two exposed physical ports that grant full access to the device. In order to exploit it, physical access is required and could lead to potential information disclosure.
The second one is a severe buffer overflow vulnerability on the font parser, with a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution. This flaw is also “wormable,” which allows a threat actor to quickly spread from a single printer to an entire network.
All the organizations must upgrade their printer firmware at the earliest to avoid large-scale infections that start from this often ignored point of entry.
F-Secure’s Bolshev and Hirvonen used an HP M725z multi-function printer (MFP) unit as their testbed to discover the flaws. They reported their findings to HP on April 29, 2021 and the company found that several other models were also affected.
The attack scenarios explained by the researchers include the following:
- Printing from USB drives, which is what was used during the research too. In the modern firmware versions, printing from USB is disabled by default.
- Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF.
- Printing by connecting directly to the physical LAN port.
- Printing from another device that is under the attacker’s control and in the same network segment.
- Cross-site printing (XSP): sending the exploit to the printer directly from the browser using an HTTP POST to JetDirect port 9100/TCP. This is the most attractive attack vector.
- Direct attack via exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.
It takes only few seconds to exploit CVE-2021-39238, but a skilled attacker could take five minutes to exploit CVE-2021-39237.
The researchers stated that there are no evidence of anyone using these vulnerabilities in actual attacks.
The admins can follow some mitigation methods apart from upgrading the firmware, which include the following:
- Disable printing from USB.
- Place the printer into a separate VLAN sitting behind a firewall.
- Only allow outbound connections from the printer to a specific list of addresses.
- Set up a dedicated print server for the communication between workstations and the printers.