Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.
Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they've likely exposed a large number of users to cyberattacks for a notable amount of time.
HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.
These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.
The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.
The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.
CVE-2021-39238 is also "wormable," meaning a threat actor could quickly spread from a single printer to an entire network.
As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.
F-Secure’s Bolshev and Hirvonen used an HP M725z multi-function printer (MFP) unit as their testbed to discover the above flaws.
After they reported their findings to HP on April 29, 2021, the company found that, unfortunately, many other models were also affected.
As the researchers explain in F-Secure’s report, there are several ways to exploit the two flaws, including:
To exploit CVE-2021-39238, it would take a few seconds, whereas a skilled attacker could launch a catastrophic assault based on the CVE-2021-39237 in under five minutes.
However, it would require some skills and knowledge, at least during this first period when not many technical details are public.
Also, even if printers themselves aren’t ideal for proactive security examination, they can detect these attacks by monitoring network traffic and looking into the logs.
Finally, F-Secure points out that they have seen no evidence of anyone using these vulnerabilities in actual attacks. Hence, the F-Secure researchers were likely the first to spot them.
An HP spokesperson has shared the following comment with Bleeping Computer:
HP constantly monitors the security landscape and we value work that helps identify new potential threats. We have published a security bulletin for this potential vulnerability here. The security of our customers is a top priority and we encourage them to always stay vigilant and to keep their systems up to date.
Apart from upgrading the firmware on the affected devices, admins can follow these guidelines to mitigate the risk of the flaws:
The last point underlines that even without fixing patches if proper network segmentation practices are followed the chances of suffering damage from network intruders drop significantly.
A detailed guide on the best practices for securing your printer is available in HP’s technical paper. You can also watch a video demo of how this HP printer vulnerability can be exploited below.
Hundreds of HP printer models vulnerable to remote code execution
Western Digital My Cloud OS update fixes critical vulnerability
HP patches 16 UEFI firmware bugs allowing stealthy malware infections
Access:7 vulnerabilities impact medical and IoT devices
CISA urges orgs to patch actively exploited Windows SeriousSAM bug