Serious vulnerability in printer drivers from HP, Xerox and Samsung

[German]There has been a severe vulnerability CVE-2021-3438 in the printer drivers of the manufacturers HP, Xerox and Samsung (presumably only laser printers) for 16 years, which affects millions of devices. The vulnerability was reported to HP on February 18, 2021, and an updated printer driver has been available since May 19, 2021. Here is some information on the issue provided to me by the security researchers.

Security researchers at SentinelLabs, the research unit of SentinelOne, came across a serious flaw in HP, Xerox and Samsung printer drivers some time ago. The discovery was more or less due to chance. Because a few months ago, while configuring a brand new HP printer, thanks to a tip from Process Hacker, the SentinelLabs team once again came across an old SSPORT.SYS printer driver, which dates back to 2005. This means that the vulnerability described below has probably existed since 2005, and since that date hundreds of millions of printers from the manufacturers in question have shipped worldwide with the vulnerable driver. The vulnerability was given a CVSS score of 8.8 and was assigned CVE-2021-3438. 

Access Rights Escalation (CVE-2021-3438)

The vulnerability CVE-2021-3438  is that the affected Windows driver is installed and loaded without asking or notifying the user. This is also regardless of whether the printer is configured for wireless operation or via a USB cable. In addition, Windows loads the driver every time the system boots. This makes the driver an ideal target for attack, as it is always loaded on the device as a result of the installation, even if no printer is connected.

The vulnerable function within the driver accepts data sent from the user mode via IOCTL (Input/Output Control) without validating the size parameter. This allows attackers to cause a buffer overrun in the driver. Exploiting such a kernel driver vulnerability can lead a non-privileged user to a SYSTEM account and execute code in kernel mode.

The whole thing reads to me almost like a continuation of the PrintNightmare issue, which is different. This vulnerability can be used to bypass security programs to install malware, view, modify, encrypt or delete data, or create new accounts with full user privileges, among other things. One conceivable scenario, for example, would be hackers injecting ransomware to lock down systems and then demand a ransom. SentinelOne has published more details about the bug in question in this blog post.  

Vulnerability in driver patched

SentinelLabs reported the findings to HP on February 18, 2021. The manufacturer is responsible for driver development for the above mentioned manufacturers. HP released a security update to its customers on May 19 to address the vulnerability. At this time, there is no evidence of active or successful attacks based on the vulnerability; however, the vulnerability presents opportunities for attackers to inject malware into systems via printers.

What to do?

The vulnerability and necessary countermeasures are described in HP Security Advisory HPSBPI03724 and Xerox Advisory Mini Bulletin XRX21K. Das It affects 380 different HP and Samsung printer models and at least a dozen different Xerox devices. Only laser printers show up in the HP device list when you browse it – but you figure out the devices for yourself.

Users of HP, Xerox and Samsung printers – both enterprise and consumer – should install the provided patch as soon as possible. Although HP is issuing a patch in the form of a corrected driver, note that the certificate has not yet been revoked. The vulnerable driver can potentially still be used for BYOVD (bring your own vulnerable driver) attacks.