Multiple Vulnerabilities Found in More Than 150 HP Printer Models; Critical Flaw Could Allow Attackers to Move Laterally
Vulnerabilities in more than 150 multi-function printers from HP demonstrate that any type of device that connects to a network can expand the perceived threat surface.
Helsinki, Finland-based F-Secure found exploitable vulnerabilities in more than 150 HP multi-function printers. It reported its findings to HP in the spring of 2021. HP has updated the printers’ firmware and released advisories on November 1. F-Secure has now published a report on its research.
F-Secure’s researchers discovered two separate attack vectors – one requiring physical access, and another that could be triggered remotely from a malicious website.
The physical attack would require no more than five-minutes access to the printer. The researchers found two exposed ports on the communications board, which could be accessed by removing a single screw. Printers are often unmonitored and sometimes in their own room. An attacker disguised as a maintenance engineer could visit the printer, compromise it, and leave the building within just a few minutes.
These ports can both read and write data. “If you compromise just one of the printers, you can pivot and move laterally to more interesting parts of the network,” the researchers told SecurityWeek.
Of greater potential interest to attackers was the discovery of font parsing vulnerabilities that could be exploited remotely. The font parser has been around since at least 2013, so the vulnerability has existed from at least that time. “The font parser was developed at a time when secure programming was not taken as seriously as it is today,” commented the researchers.
The attack consists of enticing a user to a malicious website. While connected, the attacker would be able to send a remote printing instruction to the user’s company MFT. That instruction could be to print a malicious document, introducing malware into the printer. The scenario is ideal for direct social engineering to get a user (who could be anybody within the company from any department) to visit the malicious site; or a watering hole attack just waiting for visitors.
Again, once the printer is compromised, the attacker can move laterally into other parts of the network. Or, said the researchers, “he could just sit quietly within the printer and read all the documents, letters and reports that are sent to it for printing. If the USB port is enabled (to allow users to print from a memory stick), he can see everything else on the stick – and, if he wanted to, infect the stick itself for further potential lateral movement.”
These font parsing vulnerabilities are also wormable. An attacker could create self-propagating malware that automatically compromises affected MFPs and then spreads to other vulnerable units on the same network.
Exploiting the vulnerabilities is not easy and would require a hacker with expertise. The exposed port vulnerabilities are classified as CVE-2021-39237 (critical severity), and the font parsing vulnerabilities as CVE-2021-39238 (high severity).
F-Secure has seen nothing to suggest that these vulnerabilities may have been exploited before they were fixed, but it told SecurityWeek that it – in common with most security researchers – has little printer telemetry to examine.
“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research,” explained researcher Timo Hirvonen.
To mitigate against any physical attacks, F-Secure recommends that printers should be monitored by CCTV. This wouldn’t prevent an attack but may deter an aggressor, and would help any investigation into an attack. F-Secure further suggests that for this particular attack, anti-tamper stickers should be affixed to the printer’s communication board. A damaged sticker would immediately indicate an attempted attack.
To foil the font parsing attack, the researchers suggest (report PDF) that firstly, printing from a USB stick should be disabled. Secondly, printers should be placed into a separate firewalled VLAN. Workstations should communicate with a dedicated print server, and only the print server should talk to the printer. To hinder both lateral movement and C&C communication, outbound communication from the printer network segment should be allowed to only specified, whitelisted addresses.
And, of course, users should apply HP’s updated firmware as soon as possible.
Related: Millions of Devices Affected by Bug in HP, Samsung, Xerox Printer Drivers
Related: HP Launches Bug Bounty Program for Printers
Related: Microsoft Confirms PrintNightmare Flaw as Ransomware Actors Pounce