HP Points Firmware Updates for Printer Product Vulnerabilities

HP Inc. has issued firmware updates for a number of safety vulnerabilities that have an effect on greater than 150 fashions of its multifunction printer (MFP) merchandise.

These points usually are not significantly simple to use. Nonetheless, they current a risk to enterprise organizations as a result of they offer attackers a method to steal knowledge and achieve a foothold on a community, in accordance with F-Safe researchers who found the bugs and reported them to HP in April 2021.

The flaws are additionally harmful as a result of forensic instruments usually are not sometimes able to recovering proof from multifunction printers. An attacker who needed to take care of stealth might exploit the issues and depart little or no proof behind, F-Safe stated.

The bugs have been assigned two vulnerability identifiers: CVE-2021-39237 is a single identifier for 2 uncovered bodily ports and CVE-2021-39238
for 2 totally different font parsing flaws. HP merchandise that comprise the vulnerabilities embody fashions of the corporate’s HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.

In advisories saying patch availability, HP described
one of many vulnerabilities (CVE-2021-39238) as a vital buffer overflow situation and the different
(CVE-2021-39237) as a high-severity data disclosure vulnerability that could possibly be exploited solely by somebody with bodily entry to the machine. 

“Prospects involved about potential bodily assaults ought to observe the advice within the product consumer information to make use of a Kensington-style lock to guard in opposition to these and different potential forms of bodily assaults on HP printers,” the corporate stated.

HP is without doubt one of the largest printer makers on this planet. IDC earlier this 12 months estimated HP presently owns 41% of the worldwide marketplace for hard-copy peripherals, a class that features single and multifunction printers and digital copiers.

In a weblog submit on Tuesday, F-Safe stated attackers might exploit these flaws to take management of susceptible HP multifunction printers or steal any data that’s both run or cached on the gadgets. Information in danger consists of any paperwork which might be printed, scanned, or faxed utilizing a susceptible machine. Additionally in danger are login credentials reminiscent of usernames and passwords which may join a susceptible machine to the remainder of the enterprise community. As well as, attackers might leverage the issues to achieve an preliminary foothold on a susceptible community, the safety vendor warned.

F-Safe stated the issues might be exploited in a number of methods. This consists of printing from USB drives, utilizing social engineering to persuade a consumer to print a malicious doc, embedding an exploit for the font-parsing flaws in a PDF, or connecting on to the bodily LAN port and printing.

The vulnerabilities exist within the font parser and communications board of affected HP printers. The font parser flaws might be exploited remotely and are wormable, that means an attacker might create malware able to replicating itself on susceptible printers throughout an enterprise community. Bugs within the communication board, in the meantime, might be exploited solely by somebody with bodily entry to the machine.

F-Safe’s investigation discovered expert attackers might possible exploit the bugs comparatively simply. The seller discovered the vulnerabilities involving bodily ports, for example, could possibly be exploited in a bit of over 5 minutes, whereas the font parser flaws could possibly be leveraged in seconds. Nonetheless, the vulnerabilities aren’t simple to seek out or to use for unskilled risk actors. The truth that bodily entry is required to use one set of bugs presents one other main problem for attackers. Even so, massive organizations in vital sectors and people susceptible to focused assaults ought to think about the bugs as lifelike assault vectors and defend themselves, the safety vendor stated.

For safety groups at organizations with the affected HP merchandise, that is yet one more time they’re pressured to deal with a big risk within the printer atmosphere this 12 months.

In June and July, many organizations needed to rush to patch vulnerabilities in Microsoft’s infamously buggy Home windows Print Spooler service. One of many vulnerabilities specifically — known as PrintNightmare — sparked widespread concern as a result of it was remotely exploitable, current in all Home windows variations, and gave attackers a solution to achieve extremely privileged entry to vital methods, together with area controllers. Nonetheless, these flaws, whereas current in a printer service, existed within the working system itself and never on the printers themselves, as is the case with the newly patched HP printer flaws.