Researchers have found a potentially serious remote code execution vulnerability in some of HP’s enterprise printers. The vendor claims to have already developed a patch that will be made available to customers sometime this week.
Back in 2015, HP announced the launch of new enterprise-grade LaserJet printers fitted with security features designed to block malicious actors from breaching a company’s network. Roughly one year later, the company also announced several security improvements to its Managed Print Services.
The tech giant claims it provides “the world’s most secure printing” and a recent marketing campaign run by the company shows how printers from other vendors can allow hackers to cause significant damage to an organization.
Researchers at FoxGlove Security wanted to put HP’s claims to the test so they acquired an HP PageWide Enterprise 586dn multi-functional printer (MFP), currently sold for $2,000, and an HP LaserJet Enterprise M553n printer, which costs roughly $500.
The experts started testing the devices using PRET (PRinter Exploitation Toolkit), a tool developed by researchers from Ruhr-Universität Bochum in Germany. When PRET was introduced, its creators claimed to have used it to find vulnerabilities in 20 printers and MFPs from HP, Brother, Lexmark, Dell, Samsung, Konica, OKI and Kyocer.
FoxGlove used PRET to find a path traversal flaw that allowed them to access the content of any print job, including PIN-protected jobs. PRET also helped it discover vulnerabilities that can be exploited to manipulate the content of print jobs, and reset devices to factory settings and implicitly remove the admin password.
However, the researchers’ goal was to find a vulnerability that could be exploited for remote code execution (RCE). In order to achieve this, they extracted the printer operating system and firmware and reverse engineered them. HP has implemented some mechanisms to prevent tampering with the system, but the experts managed to bypass them and gain access to files.
They then analyzed firmware updates and HP Software Solutions, which use the OXP platform and SDK to extend a printer’s functionality. Both Solutions and firmware updates are delivered as a single bundle (.BDL) file that needs to have a valid signature.
They failed to upload a malicious firmware to the device due to the signature validation mechanism, but they have proposed some possible attack vectors in case others want to continue the research. On the other hand, they did crack signature validation for Solutions files and they managed to upload a malicious DLL and execute arbitrary code.
FoxGlove Security has made available the source code of the tools used during the research, including proof-of-concept (PoC) malware.
The code execution vulnerability was reported to HP on August 21 and the company has promised to release a patch this week.
UPDATE 11/22/2017. HP informed SecurityWeek that the code execution vulnerability, tracked as CVE-2017-2750, was patched by the company on November 17. The flaw affects tens of HP LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.