Cybersecurity researchers on Tuesday disclosed eight-year-old security flaws affecting 150 different multifunction printers (MFPs) from HP Inc that could be potentially abused by an adversary to take control of vulnerable devices, pilfer sensitive information, and infiltrate enterprise networks to mount other attacks.
The two weaknesses — collectively called Printing Shellz — were discovered and reported to HP by F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev on April 29, 2021, prompting the PC maker to issue patches earlier this month —
- CVE-2021-39237 (CVSS score: 7.1) - An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
- CVE-2021-39238 (CVSS score: 9.3) - A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.
"The flaws are in the unit's communications board and font parser," Hirvonen and Bolshev said. "An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization."
CVE-2021-39238's critical severity rating also stems from that the vulnerability is wormable, meaning it could be exploited to self-propagate to other MFPs on the compromised network.
A hypothetical attack scenario could involve embedding an exploit for the font-parsing flaws in a malicious PDF document and then social engineering the target into printing the file. Alternatively, an employee from the victim organization could be lured into visiting a rogue website, in the process sending the exploit to the vulnerable MFP directly from the web browser in what's known as a cross-site printing attack.
"The website would, automatically, remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device," the researchers said.
Besides enforcing network segmentation and disabling printing from USB drives by default, it's highly recommended for organizations using the affected devices to install the patches as soon as they become available. "While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations," Hirvonen and Bolshev said.