Researchers have discovered several vulnerabilities affecting at least 150 multifunction printers (print, scan, fax) manufactured by Hewlett Packard.
Since the vulnerabilities discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they have likely exposed a large number of users to cyber attacks for a considerable period of time.
HP released vulnerability fixes in the form of firmware updates for two of the most critical vulnerabilities on November 1, 2021.
The first involves two exposed physical ports that grant full access to the device. Operating it requires physical access and could lead to potential information disclosure.
The second is a much more serious Font Parser buffer overflow vulnerability with a CVSS score of 9.3. Exploiting it gives threat actors a way to execute code remotely.
CVE-2021-39238 is also “wormable”, which means that a malicious actor could quickly spread from a single printer to an entire network.
As such, businesses should upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often overlooked entry point.
Several potential vectors
F-Secure’s Bolshev and Hirvonen used an HP M725z Multifunction Printer (MFP) as a test bed to uncover the above flaws.
After reporting their findings to HP on April 29, 2021, the company found that, unfortunately, many other models were affected as well.
As the researchers explain in the F-Secure report, there are several ways to exploit both flaws, including:
- Printing from USB drives, which was also used in the research. In modern firmware versions, printing from USB is disabled by default.
- Social engineering of a user to print a malicious document. It may be possible to embed an exploit for font scanning vulnerabilities in a PDF.
- Printing by connecting directly to the physical LAN port.
- Printing from another device under the attacker’s control and in the same network segment.
- Cross-Site Printing (XSP): Send the exploit to the printer directly from the browser via HTTP POST to the JetDirect 9100 / TCP port. This is probably the most attractive attack vector.
- Direct attack through the exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.
To exploit the CVE-2021-39238, it would take a few seconds, while a skillful attacker could launch a catastrophic assault based on the CVE-2021-39237 in less than five minutes.
However, that would require skill and knowledge, at least during this early period where few technical details are public.
Additionally, while the printers themselves are not ideal for a proactive security review, they can detect these attacks by monitoring network traffic and viewing logs.
Finally, F-Secure points out that they have not seen any evidence of the use of these vulnerabilities in actual attacks. Therefore, researchers at F-Secure were probably the first to spot them.
An HP spokesperson shared the following comment with Bleeping Computer:
HP is constantly monitoring the security landscape and we value the work that helps identify potential new threats. We have published a security bulletin for this potential vulnerability here. The safety of our customers is a top priority and we encourage them to always remain vigilant and keep their systems up to date.
In addition to upgrading the firmware on affected devices, administrators can follow these guidelines to mitigate the risk of faults:
- Disable printing from USB
- Place the printer in a separate VLAN behind a firewall
- Only allow outgoing connections from the printer to a specific address list
- Set up a dedicated print server for communication between workstations and printers
The last point emphasizes that even without patches, if proper network segmentation practices are followed, the chances of sustaining damage from network intruders are greatly reduced.
A detailed guide to best practices for securing your printer is available in HP’s technical document. You can also watch a video demonstration of how this HP printer vulnerability can be exploited below.