HP Inc. has issued firmware updates for multiple security vulnerabilities that affect more than 150 models of its multifunction printer (MFP) products.
These issues are not particularly easy to exploit. However, they present a threat to enterprise organizations because they give attackers a means to steal data and gain a foothold on a network, according to F-Secure researchers who discovered the bugs and reported them to HP in April 2021.
The flaws are also dangerous because forensic tools are not typically capable of recovering evidence from multifunction printers. An attacker who wanted to maintain stealth could exploit the flaws and leave very little evidence behind, F-Secure said.
The bugs have been assigned two vulnerability identifiers: CVE-2021-39237 is a single identifier for two exposed physical ports and CVE-2021-39238
for two different font parsing flaws. HP products that contain the vulnerabilities include models of the company’s HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
In advisories announcing patch availability, HP described
one of the vulnerabilities (CVE-2021-39238) as a critical buffer overflow issue and the other
(CVE-2021-39237) as a high-severity information disclosure vulnerability that could be exploited only by someone with physical access to the device.
“Customers concerned about potential physical attacks should follow the recommendation in the product user guide to use a Kensington-style lock to protect against these and other potential types of physical attacks on HP printers,” the company said.
HP is one of the largest printer makers in the world. IDC earlier this year estimated HP currently owns 41% of the worldwide market for hard-copy peripherals, a category that includes single and multifunction printers and digital copiers.
In a blog post on Tuesday, F-Secure said attackers could exploit these flaws to take control of vulnerable HP multifunction printers or steal any information that is either run or cached on the devices. Data at risk includes any documents that are printed, scanned, or faxed using a vulnerable device. Also at risk are login credentials such as usernames and passwords that might connect a vulnerable device to the rest of the enterprise network. In addition, attackers could leverage the flaws to gain an initial foothold on a vulnerable network, the security vendor warned.
F-Secure said the flaws can be exploited in multiple ways. This includes printing from USB drives, using social engineering to convince a user to print a malicious document, embedding an exploit for the font-parsing flaws in a PDF, or connecting directly to the physical LAN port and printing.
The vulnerabilities exist in the font parser and communications board of affected HP printers. The font parser flaws can be exploited remotely and are wormable, meaning an attacker could create malware capable of replicating itself on vulnerable printers across an enterprise network. Bugs in the communication board, meanwhile, can be exploited only by someone with physical access to the device.
F-Secure’s investigation found skilled attackers could likely exploit the bugs relatively easily. The vendor found the vulnerabilities involving physical ports, for instance, could be exploited in a little over five minutes, while the font parser flaws could be leveraged in seconds. However, the vulnerabilities aren’t easy to find or to exploit for unskilled threat actors. The fact that physical access is required to exploit one set of bugs presents another major challenge for attackers. Even so, large organizations in critical sectors and those at risk of targeted attacks should consider the bugs as realistic attack vectors and protect themselves, the security vendor said.
For security teams at organizations with the affected HP products, this is yet another time they are forced to address a significant threat in the printer environment this year.
In June and July, many organizations had to rush to patch vulnerabilities in Microsoft’s infamously buggy Windows Print Spooler service. One of the vulnerabilities in particular — called PrintNightmare — sparked widespread concern because it was remotely exploitable, present in all Windows versions, and gave attackers a way to gain highly privileged access to critical systems, including domain controllers. However, those flaws, while present in a printer service, existed in the operating system itself and not on the printers themselves, as is the case with the newly patched HP printer flaws.