HP Multi-Function Printers - Improper validation of an array index

Product Certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, HP PageWide Managed printers
Severity High
CVE Reference CVE-2021-39238
Type Improper validation of an array index

Description

F-Secure discovered that HP multi-function printers (MFPs) can be used to expose infrastructure to attack. A remote code execution vulnerability in the printer can allow a local or remote malicious actor to gain control over the printer software, steal documents that are being scanned or printed, or move laterally through the network infrastructure. An attacker could exploit this vulnerability in multiple ways, by printing from USB, printing over e-mail, or by invoking printing from a browser using JavaScript code on a webpage.

Details

F-Secure discovered a Remote Code Execution (RCE) vulnerability within the firmware of the HP MFP M725z device. The font parser library is vulnerable to a memory corruption issue due to improper validation of an array index (CWE-129). The issue can be exploited remotely using a Cross-Site Printing (XSP) vector as part of a drive-by or social engineering attack via workstations that can communicate directly with the devices’ JetDirect service. It is also possible to trigger and exploit the vulnerability locally using the ‘print from USB’ feature. Approximately 150 different HP MFP models are affected. However, the exploitability of the issue has not been verified by F-Secure in any device other than the M725. This has been reported to the vendor and the issue has been resolved in the latest versions of the firmware.

For a more detailed technical description of the vulnerability, please see the detailed write-up.

Impact

Successful exploitation of the issue gives the attacker full control over the device. The impact includes but is not limited to:

  • Access to documents that are being scanned and printed
  • Network pivoting
  • If USB is enabled, access to the USB flash storage which users print from or scan to (this includes reading, tampering with, and infecting the files on the USB)
  • Access to credentials stored on the device for, e.g., LDAP integration or network access
  • As the exploit can be turned into a network worm, it is possible for a compromised MFP to infect other vulnerable MFPs whose TCP port 9100 can be reached.

Mitigations

There are multiple ways to mitigate the vulnerability. First, printing from USB is disabled by default and should stay that way, as recommended by HP. Second, since an attacker in the same network segment can exploit the vulnerability by communicating directly to JetDirect TCP/IP port 9100, we recommend placing the printers into a separate, firewalled VLAN. All workstations should communicate with a dedicated print server, and only the print server should talk to the printers. This is important since, without proper network segmentation, the vulnerability could be exploited by a malicious website that sends the exploit directly to port 9100 from the browser. To hinder lateral movement and Command & Control communications from a compromised MFP, outbound connections from the printer segment should be allowed only to explicitly listed addresses.

Finally, we recommend following HP’s best practices for securing access to device settings to prevent unauthorized modifications to any security settings. They have an excellent technical white paper titled "HP Printing Security Best Practices for HP FutureSmart Products". This describes the process of using HP Web Jetadmin to secure all printers at the same time.

Solution

F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP’s security bulletin.

Credits

The vulnerability was discovered by Alexander Bolshev and Timo Hirvonen.

Detailed Timeline

2021-04-29 F-Secure Consulting discloses the vulnerabilities to HP
2021-05-12 Email from HP with a question about the PoC. F-Secure replies
2021-05-13 Email from HP about our plans on publishing the findings. F-Secure replies
2021-06-14  HP sends F-Secure a fixed firmware for verification
2021-06-16 F-Secure replies with the verification results and some additional questions
2021-06-21 F-Secure shares a draft of this blog post with HP
2021-11-01 HP publishes their Security Bulletins
2021-11-03 F-Secure sends a confidential note to clients urging to patch
2021-11-30 F-Secure advisory and paper published