F-Secure has discovered security vulnerabilities that affect 150 HP printers and called it Printing Shellz. Researchers made the discovery earlier this year but it has only just been made public after HP issued patches. The news will be an embarrassment for HP after it ran a series of adverts promoting the security of its printers around the same time F-Secure was warning it of the problems.
The vulnerabilities allow an attacker to seize control of devices, steal information and infiltrate networks. These are exactly the things HP was priding itself on preventing in its Mr Wolf adverts. In the latest ads, HP calls out the risk of home workers using insecure printers. It claims they can be used to allow a hacker to gain access to a company’s network, just as these vulnerabilities do.
The vulnerabilities were found by F-Secure security consultants Timo Hirvonen and Alexander Bolshev. They identified the issues with just one printer, HP’s MFP M725z. In its response, HP has issued patches for over 150 different products affected by the vulnerabilities.
Hirvonen said: “It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations.
“Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”
What has F-Secure said?
The researchers identified two vulnerabilities. CVE-2021-39237 is rated 4.8 (medium) by the NVD and is a physical access port access vulnerability. HP has rated it as high severity and says it affects HP LaserJet and PageWide models. To exploit the vulnerability, an attacker would need physical access to the device.
CVE-2021-39238 is rated 9.8 (critical) by the NVD database. It also affects HP LaserJet and PageWide printers. It allows an attacker to create a buffer overflow which would allow it to execute code remotely. HP has classed this as critical.
In its press release, F-Secure writes about how an attack would take place:
“The most effective method would involve tricking a user from a targeted organization into visiting a malicious website, exposing the organization’s vulnerable MFP to what’s known as a cross-site printing attack. The website would, automatically, remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device.
“An attacker with these code execution rights could silently steal any information ran (or cached) through the MFP. This includes not only documents that are printed, scanned, or faxed, but also information like passwords and login credentials that connect the device to the rest of the network. Attackers could also use compromised MFPs as a beachhead to penetrate further into an organization’s network in pursuit of other objectives (such as stealing or changing other data, spreading ransomware, etc.)”
The blog (mentioned below) also lists several ways that these flaws can be exploited.
The vulnerabilities are not new
In a separate blog, the two researchers do a Q&A about these vulnerabilities. One of the things that they say is that both vulnerabilities date back to 2013. HP sold millions of the affected printers over those eight years, creating a significant attack surface and threat.
They also say that CVE-2021-39238 is a wormable attack. It means that once a device on a company network has been compromised, the attack can spread to other vulnerable printers in the company. That gives the attackers a wide footprint inside the business, potentially affecting all departments.
The researchers also point out that it is incredibly hard for IT security teams to detect this type of attack by looking at the devices. There are few forensic tools available that can recover evidence from MFPs. An attack can be detected using network traffic monitoring.
There is no evidence that the vulnerabilities have been exploited yet, say the researchers. However, given the length of time, the HP printers have been vulnerable that is no guarantee of protection. They have also said that it would take a skilled attacker very little time to exploit – 5 minutes for physical access and just seconds for the font parser.
Enterprise Times: What does this mean
Security vendors have called out the risk from printers before. It is what led HP to launch its original series of printers with HP Wolf Security inside. Its latest ads, aimed at workers from home, talk about endpoint security that protects printers.
HP is unlikely to be the only printer vendor with vulnerabilities. As printers have become smarter, they have also gained computing power and local storage. It makes them ideal candidates to spread malware or even hide it from most security scans. IT security teams need to make sure that they find solutions to protect all devices in their network. This is yet another unmanaged attack surface that will cause problems.