Vulnerabilities detected in over 150 HP printer models, now patched

Vulnerabilities detected in over 150 HP printer models, now patched
HP printer in the image is not necessarily impacted. Used only for reference  |  Photo Credit: Pixabay
1 Dec, 2021

Security researchers at F-Secure have found two vulnerabilities dating back to 2013 and afflict more than 150 Hewlett-Packard (HP) multifunction printers (MFPs), the cybersecurity firm said in an online paper. The F-Secure team showed how attackers could exploit the vulnerabilities and compromise the printers by luring users to malicious websites and sending a document for print. 

The vulnerabilities were classified as critical and high by HP and were patched in November. They were found in HP MFPs in the LaserJet, LaserJet Managed, PageWide, PageWide Managed series. 

To exploit the first vulnerability, CVE-2021-39238, the researchers sent a document with a malicious font for print on an HP printer and triggered arbitrary code execution. In this attack, the attacker can run any commands or code on the printer and use their privileged access to steal critical documents sent for printing or scanning. Many printers store this information in their cache files. 

The other critical vulnerability, CVE-2021-39237, was found in the exposed physical ports. F-Secure warned that attackers could exploit the vulnerability by infecting the printer with a USB storage device and through it spread the malware in the organisation’s network. Printing and scanning through external drives is a very common practice in organisations. However, to carry out this attack, the attacker would need physical access to the printer or a corporate mule to do it on their behalf. 

In our quest to enhance our attack simulation capabilities while learning hardware security, we discovered two very different methods for gaining full control over HP MFPs– exposed connectors for shell access and a memory corruption issue in the font parser. The former requires physical access to the device but the latter can be exploited remotely from a malicious website, the F-Secure research team explained in the research paper.  

F-Secure warns that printer security, string configuration and timely updates are often not a top priority, which makes them sitting ducks. According to the latest IDC data, HP is the leading printer brand in India with a market share of 46.9% in Q3 2021.