HP has issued patches for a series of vulnerabilities affecting more than 150 of its multifunction printer (MFP) models, which are being revealed for the first time today in a coordinated disclosure with the F-Secure researchers who discovered them.
The vulnerabilities in question are tracked as CVE-2021-39237 and CVE-2021-39238, two access port vulnerabilities, which require physical access, and two font parsing vulnerabilities. They are rated as being of high and critical severity respectively. If exploited successfully, F-Secure consultants Timo Hirvonen and Alexander Bolshev said they could be used to gain full control of a target enterprise’s network.
“It’s easy to forget that modern MFPs are fully functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organisation’s infrastructure and operations,” said Hirvonen.
“Experienced threat actors see unsecured devices as opportunities, so organisations that don’t prioritise securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”
Hirvonen and Bolshev said the most effective method of exploiting these vulnerabilities would be to trick a user at the target organisation into visiting a malicious website and exposing their MFP to a cross-site printing attack whereby the website automatically remotely prints a document containing a maliciously crafted font on the vulnerable device, given the attacker code execution rights.
From there, the attacker can steal any data being run, or that has been cached, on the printer, including not only printed, scanned or faxed documents, but also passwords and login credentials used to connect the printer to the network. In effect, this turns the printer into a beachhead on the network from where the attackers can spread out, establish persistence, and conduct deeper and more disruptive attacks up to data exfiltration and ransomware execution.
Hirvonen and Bolshev believe that exploitation is difficult enough to prevent low-skilled actors from using them, whereas more experienced attackers could easily use them in targeted operations.
“A skilled attacker could successfully exploit the physical ports in a little over five minutes. Exploiting the font parser would only take a few seconds,” they warned. “However, these are not low-hanging fruits that would be obvious to many threat actors. The font parsing issue isn’t the easiest to find or exploit, and anything requiring physical access poses logistical barriers for threat actors to overcome.”
Timo Hirvonen, F-Secure
Additionally, CVE-2021-39238, the font parsing vulnerabilities, are wormable, which means an attacker could create a self-propagating malware that would automatically compromise at-risk printers and spread from them to other devices.
There is no evidence to suggest any of the vulnerabilities have been exploited in the wild, but, as is often the case when new bugs are disclosed, threat actors will likely be quick to weaponise them, so users of the affected devices, as per HP’s above-linked advisories, should patch them without delay, particularly if the organisation is considered more at risk of targeted attack by sophisticated actors.
“Large enterprises, companies working in critical sectors and other organisations facing highly skilled, well-resourced attackers need to take this seriously,” said Hirvonen. “There’s no need to panic, but they should assess their exposure, so they’re prepared for these attacks. Although the attack is advanced, it can be mitigated with the basics: network segmentation, patch management and security hardening.”
Additionally, there are a series of further steps defenders can take to secure their MFP estate, including limiting physical access, segregating MFPs on a firewalled VLAN of their own, using anti-tamper stickers to signal a device has been physically tampered with, following recommended supplier best practice for preventing unauthorised modification to security settings, and placing MFPs under video surveillance to record any physical access.
HP was informed of the vulnerabilities at the end of April 2021 and has since worked extensively with F-Secure to patch them.
The exploits are not, incidentally, linked to an exploit Hirvonen and Bolshev used against an HP laserjet printer to get it to play Thunderstruck by AC/DC at the recent Pwn2Own event.