150 different HP printer models are affected by security vulnerabilities.
In the battle between cybercriminals and big businesses, keeping your defences secure can be a highly complicated process, patching gaps as and when they appear. The majority of issues surface on public-facing IT components, servers, or appear when someone responds to a phishing email and is fooled into giving away key information. Rarely do IT professionals think about their printers.
Yet a series of vulnerabilities affecting more than 150 printer models manufactured by one of the biggest companies in the field, HP, could have given hackers the ability to seize control of vulnerable devices, steal information, and further infiltrate networks to inflict other types of damage.
F-Secure security consultants Timo Hirvonen and Alexander Bolshev discovered exposed physical access port vulnerabilities (CVE-2021-39237) and font parsing vulnerabilities (CVE-2021-39238) in HP’s MFP (multi-function printer) M725z – part of HP’s FutureSmart line of printers. In all, 150 different models manufactured by HP use the port and font parsing vulnerabilities identified by the consultants.
How the vulnerabilities could be exploited
The F-Secure researchers identified a number of methods that could be utilised to try and pry open access to highly detailed servers run by businesses using those two vulnerabilities. The most effective method, the consultants claim, would involve tricking a user from a targeted organisation into visiting a malicious website, exposing the organization's vulnerable MFP to what’s known as a cross-site printing attack.
The website would automatically and remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device.
After doing that, any attacker who had the code execution rights would be able to siphon off any information that ran or had been cached through the printer.
The potential list of bounties would cover not just documents printed, scanned, or faxed, but also information like passwords and login credentials that connect the device to the rest of the network. Most concerningly, the researchers claim attackers could also use the compromised devices as a tool from which to launch deeper attacks into a network.
High skill, high reward
One thing that was noted by F-Secure was that this is not an easy attack to launch – but by skilled enough teams, it would be possible to prise open a business network. Alarmingly, the font parsing vulnerabilities are wormable, meaning attackers could create self-propagating malware that automatically compromises one printer, then would spread to other vulnerable bits of hardware on the same network.
“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints,” says Hirvonen. “And just like other endpoints, attackers can leverage a compromised device to damage an organisation’s infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”
HP has since patched the vulnerabilities after they were first identified last spring, and firmware updates and security advisories have been pushed to users.
The company and F-Secure also suggest segregating devices like printers in a separate, firewalled VLAN, and also ensuring people don’t get unfettered physical access to printers without being monitored.