Cybersecurity researchers on Tuesday disclosed eight-year-old safety flaws affecting 150 other multifunction printers (MFPs) from HP Inc which may be doubtlessly abused through an adversary to take regulate of inclined units, pilfer delicate knowledge, and infiltrate endeavor networks to mount different assaults.
The 2 weaknesses — jointly referred to as Printing Shellz — had been came upon and reported to HP through F-Safe Labs researchers Timo Hirvonen and Alexander Bolshev on April 29, 2021, prompting the PC maker to factor patches previous this month —
- CVE-2021-39237 (CVSS ranking: 7.1) – A data disclosure vulnerability impacting sure HP LaserJet, HP LaserJet Controlled, HP PageWide, and HP PageWide Controlled printers.
- CVE-2021-39238 (CVSS ranking: 9.3) – A buffer overflow vulnerability impacting sure HP Undertaking LaserJet, HP LaserJet Controlled, HP Undertaking PageWide, and HP PageWide Controlled merchandise.
“The issues are within the unit’s communications board and font parser,” Hirvonen and Bolshev stated. “An attacker can exploit them to achieve code execution rights, with the previous requiring bodily get admission to whilst the latter will also be completed remotely. A a success assault will permit an adversary to reach quite a lot of goals, together with stealing knowledge or the usage of the compromised gadget as a beachhead for long term assaults towards a company.”
CVE-2021-39238’s important severity ranking additionally stems from that the vulnerability is wormable, that means it may well be exploited to self-propagate to different MFPs at the compromised community.
A hypothetical assault situation may just contain embedding an exploit for the font-parsing flaws in a malicious PDF report after which social engineering the objective into printing the report. On the other hand, an worker from the sufferer group may well be lured into visiting a rogue web page, within the procedure sending the exploit to the inclined MFP at once from the internet browser in what is referred to as a cross-site printing assault.
“The web page would, robotically, remotely print a report containing a maliciously-crafted font at the inclined MFP, giving the attacker code execution rights at the instrument,” the researchers stated.
But even so imposing community segmentation and disabling printing from USB drives through default, it is extremely really useful for organizations the usage of the affected units to put in the patches once they turn out to be to be had. “Whilst exploiting those problems is slightly tricky, the general public disclosure of those vulnerabilities will assist danger actors know what to search for to assault inclined organizations,” Hirvonen and Bolshev stated.