Security researchers have discovered critical vulnerabilities in the firmware of many HP MFPs. An attacker can smuggle malicious code through a vulnerability. Cybercriminals can also settle in the network or the malicious code may spread like a worm from printer to printer. Additionally, information can flow away as a result. HP provides firmware updates for more than 100 affected printer models. As things stand, the researchers found no evidence that the vulnerabilities had actually been exploited.
Few of them think that the printer is the gateway to the local network for hackers or malware. For this reason, printers are not taken into account when managing a patch. There are small computers, especially in large multifunctional machines that serve entire departments. They save various data such as print jobs, configuration information, or data access to network drives, for example.
F-Secure security researchers took a closer look at the hardware and software of one of the affected printers. In doing so, they encountered weaknesses in the processing of character sets in the firmware. Vulnerabilities can be exploited by printing Postscript files that have been tampered with in order to smuggle and execute arbitrary code.
The first analyzes were done on the firmware from 2013, and they found it on the test machine. When they managed to hack it, they took the firmware that was there at the time of testing. With some modifications, the vulnerabilities can still be exploited. Firmware files for other devices were stored on HP’s FTP servers, which IT experts exploited to find out what the vulnerability they had discovered—and found what they were looking for there, too. in your F-Secure researchers explain the detailed reporthow they proceeded.
F-Secure researchers also list potential attack vectors. The most dangerous attack would be a cross-site printing attack: for example, when you visit a malicious website, the web browser sends an HTTP POST request with a malicious token to JetDirect port 9100 (TCP). Attackers can lure users to such a prepared page with an email message, for example.
In addition, the printing – and thus the infection – also succeeded from another machine that had already been hacked: the vulnerability could be exploited by a worm, code that propagates independently in the network. Other gateways might be printing a tampered file from a USB drive, by plugging a device directly into an RJ45 port or, for example, using social engineering.
Firmware updates fill in the gaps
One Another security message from HP regarding a second vulnerability (CVE-2021-39237, High Risk) found by F-Secure researchers. To do this, however, the attackers would need physical access to the printers. Ultimately, they could gain unauthorized access to information such as print jobs or saved access data.
HP lists the various affected model series in a Critical Vulnerability Security Bulletin (CVE-2021-39238, CVSS 9.3). HP users should check the list under Affected Products in the security message to see if their models are included. Hewlett Packard provides updated firmware on their support and download page, where you can look up the model number. Administrators should import these updates immediately and, in the future, include regular printer firmware updates in their patch planning.