[German]Today (Nov. 30,) is Computer Security Day, and this topic fits perfectly. There are several firmware vulnerabilities of certain HP LaserJet, HP LaserJet Managed, HP PageWide and HP PageWide Managed products. These are potentially vulnerable to a buffer overflow. This means attackers could intercept print jobs or scans and potentially worm corporate networks.
Advertising
A few days agao, I addressed security issues in printers (see my blog post Printjack: Security researchers warn against attacks on printers) and explained that there was a risk of GDPR violations. This was a theoretical work by two security researchers. Now it is becoming concrete: Around 150 HP multi-function printers are having eight years old vulnerabilities in their fimware – and can also become a gateway for attacks on corporate networks.
F-Secure warns about Printing Shellz
F-Secure security researchers Alexander Bolshev and Timo Hirvonen used an HP M725z multifunction printer (MFP) as a test environment to check its firmware for vulnerabilities. They found several vulnerabilities in the firmware of at least 150 multifunction printers (print, scan, fax) from the manufacturer Hewlett Packard.
Above tweet mentions, that HP devices contains the following vulnerabilities in their firmware:
- CVE-2021-39237: Information Disclosure, CVSS 7.1 (High), according to the F-Secure description, an UART interface on the board allows access to the UEFI shell control, the other to the root Linux shell of the scanner module. Exploitation of the vulnerability requires access to the device.
- CVE-2021-39238: Potential buffer overflow, CVSS 9.3 (Critical), according to F-Secure, the remote code execution vulnerability could allow a local or remote attacker to gain control of the printer software, steal documents being scanned or printed, or move laterally through the network infrastructure. An attacker can exploit this vulnerability in a number of ways, printing via USB, printing via email, or invoking printing via a browser with JavaScript code on a web page.
While the CVE-2021-39237 only allows information disclosure if the attacker has access to the device, the CVE-2021-39238 is of a different caliber. The buffer overflow in the firmware's font parser is rated critical due to fear of remote code execution (RCE). In addition, the vulnerability is classified as "wormable," meaning that an attacker could distribute their malware to an entire corporate network via an infected printer. These vulnerabilities date back to 2013 and could have exposed their users to cyber attacks since that time. The two security researchers publicly disclosed these vulnerabilities under the term Printing Shellz in this blog post. A 35-page PDF document can be read for the details.
Advertising
Mitigations against Printing Shellz
The security researchers strongly recommend installing the firmware update available for the specific device. For the list of affected HP MFP models and instructions on how to obtain the updated firmware, please refer to the HP security bulletins:
which HP has already created as of November 1, 2021, but last published today, November 30, 2021. Furthermore, it is recommended to physically restrict access to the printers and multifunction devices to prevent such attacks. Furthermore, the devices should be included in a separate, firewalled VLAN. This step is necessary because an attacker can communicate directly with JetDirect TCP/IP port 9100, exploiting the vulnerability on the same network segment.
Workstations should communicate with a dedicated print server, and only the print server should be configured to communicate with the HP printer. This is important because without proper network segmentation, the vulnerability could be exploited by a malicious website sending the attack directly to port 9100 of the browser.
To prevent lateral movement and C&C communication from a compromised MFP, outbound connections from the printer segment should be
should only be allowed to explicitly listed addresses.
Finally, it is recommended that HP best practices for securing access to device settings be followed to prevent unauthorized
unauthorized changes to the security settings.
