Detecting an 8-year-old security flaw, affecting 150 HP printer models

Researchers have discovered several security vulnerabilities affecting at least 150 models of HP multifunction printers (print, scan, fax).

According to researchers Alexander Bolshev and Timo Hirvonen of F-Secure, these vulnerabilities have existed since 2013, so if exploited, many users would have been attacked.

HP has released patches for the security holes by updating the firmware. The two most critical security vulnerabilities were patched on November 1, 2021.

These two vulnerabilities are tracked under the codes CVE-2021-39237 and CVE-2021-39238. The first vulnerability concerns two exposed physical ports that give full access to the device. To exploit, hackers need physical access to the device and potentially steal information.

The second vulnerability causes a buffer overflow on the font parser. With a score of 9.3, this is a very serious problem. If the exploit is successful, the hacker can execute the code remotely.

Detecting an 8-year-old security flaw, affecting 150 HP printer models Picture 1 Detecting an 8-year-old security flaw, affecting 150 HP printer models Picture 1

CVE-2021-39238 is also a "wormable" vulnerability so an attacker could spread the exploit from one printer to the entire network.

Therefore, agencies and organizations should upgrade printer firmware immediately to avoid system-wide attacks.

There are different exploits that hackers can use:

Print from a USB drive
Trick someone into printing a malicious document
Print by connecting directly to a physical LAN port
Print from another device that the hacker is controlling in the same network segment
Cross-Page Printing (XSP)
Direct attack through exposed UART port

It only takes a few seconds to exploit the CVE-2021-39238 vulnerability while a skilled hacker can create a devastating attack based on the CVE-2021-39237 vulnerability in less than 5 minutes.

The good news is that F-Scure has never discovered anyone using these vulnerabilities in attacks. According to HP, the company always monitors security and appreciates the reports of security experts.

In addition to updating firmware, IT admins can do the following to reduce risk:

Turn off printing from USB
Put the printer in a separate VLAN behind the firewall
Only allow outgoing connections from the printer to a specific address list
Set up a dedicated print server for communication between the workstation and the printer

HP's notes show that even without a firmware update, if appropriate network segmentation methods are followed, the chance of damage due to the two vulnerabilities mentioned above will be significantly reduced.l