Researchers have discovered several vulnerabilities affecting at least 150 multi-function (print, scan, fax) printers made by Hewlett Packard.

Since the flaws discovered by F-Secure security researchers Alexander Bolshev and Timo Hirvonen date back to at least 2013, they've likely exposed a large number of users to cyberattacks for a notable amount of time.

HP has released fixes for the vulnerabilities in the form of firmware updates for two of the most critical flaws on November 1, 2021.

These are CVE-2021-39237 and CVE-2021-39238. For a complete list of the affected products, click on the tracking numbers for the corresponding advisories.

The first one concerns two exposed physical ports that grant full access to the device. Exploiting it requires physical access and could lead to potential information disclosure.

The second one is a buffer overflow vulnerability on the font parser, which is a lot more severe, having a CVSS score of 9.3. Exploiting it gives threat actors a way to remote code execution.

CVE-2021-39238 is also "wormable," meaning a threat actor could quickly spread from a single printer to an entire network.

As such, organizations must upgrade their printer firmware as soon as possible to avoid large-scale infections that start from this often ignored point of entry.

Multiple potential vectors

F-Secure’s Bolshev and Hirvonen used an HP M725z multi-function printer (MFP) unit as their testbed to discover the above flaws.

After they reported their findings to HP on April 29, 2021, the company found that, unfortunately, many other models were also affected.

As the researchers explain in F-Secure’s report, there are several ways to exploit the two flaws, including:

  • Printing from USB drives, which is what was used during the research too. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. 
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under the attacker’s control and in the same network segment.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.
One of the attack flows for CVE-2021-38238
Source: F-Secure

To exploit CVE-2021-39238, it would take a few seconds, whereas a skilled attacker could launch a catastrophic assault based on the CVE-2021-39237 in under five minutes.

However, it would require some skills and knowledge, at least during this first period when not many technical details are public.

Also, even if printers themselves aren’t ideal for proactive security examination, they can detect these attacks by monitoring network traffic and looking into the logs.

Finally, F-Secure points out that they have seen no evidence of anyone using these vulnerabilities in actual attacks. Hence, the F-Secure researchers were likely the first to spot them.

An HP spokesperson has shared the following comment with Bleeping Computer:

HP constantly monitors the security landscape and we value work that helps identify new potential threats. We have published a security bulletin for this potential vulnerability here. The security of our customers is a top priority and we encourage them to always stay vigilant and to keep their systems up to date.

Mitigation methods

Apart from upgrading the firmware on the affected devices, admins can follow these guidelines to mitigate the risk of the flaws:

  • Disable printing from USB
  • Place the printer into a separate VLAN sitting behind a firewall
  • Only allow outbound connections from the printer to a specific list of addresses
  • Set up a dedicated print server for the communication between workstations and the printers

The last point underlines that even without fixing patches if proper network segmentation practices are followed the chances of suffering damage from network intruders drop significantly.

A detailed guide on the best practices for securing your printer is available in HP’s technical paper. You can also watch a video demo of how this HP printer vulnerability can be exploited below.

Related Articles:

Maximum severity Flowmon bug has a public exploit, patch now

New Ivanti RCE flaw may impact 16,000 exposed VPN gateways

AnyCubic fixes exploited 3D printer zero day flaw with new firmware

Hackers exploit critical RCE flaw in Bricks WordPress site builder

Hackers hijack OpenMetadata apps in Kubernetes cryptomining attacks