Security researchers have discovered a potentially dangerous vulnerability in the firmware of various Hewlett Packard (HP) enterprise printer models that could be abused by attackers to run arbitrary code on affected printer models remotely.
The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, is due to insufficiently validating parts of Dynamic Link Libraries (DLL) that allows for the potential execution of arbitrary code remotely on affected 54 printer models.
The security flaw affects 54 printer models ranging from HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise and OfficeJet Enterprise printers.
This remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP's MFP-586 printer (currently sold for $2,000) and HP LaserJet Enterprise M553 printers (sold for $500).
According to a technical write-up posted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the ".BDL" extension used in both HP Solutions and firmware updates.
However, after some testing researchers said that "it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer."
The researchers were able to bypass digital signature validation mechanism for HP software "Solution" package and managed to add a malicious DLL payload and execute arbitrary code.
FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the proof-of-concept (PoC) malware payload that could be remotely installed on the printers.
The actions performed by their proof of concept malware are as follows:
To download the new firmware update, visit the HP website in your web browser, and select Support from the top of the page and select Software & drivers. Now, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.
The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, is due to insufficiently validating parts of Dynamic Link Libraries (DLL) that allows for the potential execution of arbitrary code remotely on affected 54 printer models.
The security flaw affects 54 printer models ranging from HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise and OfficeJet Enterprise printers.
This remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP's MFP-586 printer (currently sold for $2,000) and HP LaserJet Enterprise M553 printers (sold for $500).
According to a technical write-up posted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the ".BDL" extension used in both HP Solutions and firmware updates.
"This (.BDL) is a proprietary binary format with no publicly available documentation," researchers said. "We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of."Since HP has implemented the signature validation mechanism to prevent tampering with the system, the researchers failed to upload a malicious firmware to the affected printer.
However, after some testing researchers said that "it may be possible to manipulate the numbers read into int32_2 and int32_3 in such a way that the portion of the DLL file having its signature verified could be separated from the actual executable code that would run on the printer."
The researchers were able to bypass digital signature validation mechanism for HP software "Solution" package and managed to add a malicious DLL payload and execute arbitrary code.
FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the proof-of-concept (PoC) malware payload that could be remotely installed on the printers.
The actions performed by their proof of concept malware are as follows:
- It downloads a file from http[://]nationalinsuranceprograms[.]com/blar
- Executes the command specified in the file on the printer
- Waits for 5 seconds
- Repeat
To download the new firmware update, visit the HP website in your web browser, and select Support from the top of the page and select Software & drivers. Now, enter the product name or model number in the search box, then scroll down in the search results to firmware and download the necessary files.