Credit: Dreamstime
Security researchers have published details about two serious vulnerabilities that impact over 150 different HP multifunction printer models with FutureSmart firmware going back at least nine years. The attack vectors associated with the flaws and their impact serve as a reminder that printers can pose significant security risks to enterprise networks if not properly secured, updated and segmented.
"For one, the vulnerabilities date back to at least 2013 and affect a large number of HP products released," researchers from security firm F-Secure, who found the flaws, said in their report.
"HP is a large company that sells products all over the world. Many companies are likely using these vulnerable devices. To make matters worse, many organisations don’t treat printers like other types of endpoints. That means IT and security teams forget about these devices’ basic security hygiene, such as installing updates."
Exploiting one of the vulnerabilities requires physical access and can be done through physical ports that are exposed on its communications board.
A skilled attacker with physical access to a vulnerable MFP would need around five minutes to perform the attack and deploy a stealthy implant that could take full control of the device and exfiltrate potentially sensitive information.
The second vulnerability is even more dangerous because it's located in the firmware's font parsing code and essentially allows anyone who can print a specifically crafted file to execute malicious code on the vulnerable MFPs. The vulnerability is wormable and exploitation can be achieved in seconds through multiple remote attack vectors, including by users visiting malicious websites.
Physically exploitable HP printer vulnerability
The CVE-2021-39237 that F-Secure researchers Timo Hirvonen and Alexander Bolshev found concern two exposed debugging ports on the MFP board that don't require authentication.
By connecting to these ports attackers can gain privileged shell access to the different execution environments inside device: the Extensible Firmware Interface (EFI) environment -- also known as the BIOS -- which handles the booting process, the Linux-based environment of the scanner board and the Windows CE environment of the central communication board that handles the graphical user interface and contains most of the programs that enable the printer's feature set.
By gaining access to the EFI shell, attackers can dump the contents of the printer's internal hard drive to an USB drive they attach to the printer. This is important, because the hard drive uses hardware encryption to protect the data, but its contents are decrypted during the booting process.
With root access to the Linux environment, an attacker could execute commands and deploy malware, but also the Linux environment has unprotected Telnet access into the Windows CE environment, giving attackers administrative command-line access to the core OS of the printer.
"A malicious actor with physical access to the device is able to dump and tamper with all data that is stored on the system and user partitions of the device," the researchers said in their paper. "This may enable them to exfiltrate confidential information, as well as install a memory-based or persistent software implant.
"Such implant could be used to collect information that is passed through device and for further lateral movement into the corporate network. The choice of implant is a matter of preference: It could be a permanent one, implanted via EFI shell access, or an in-memory one, that could be put in memory of the Linux or Windows CE environment."
HP has added mitigations against firmware attacks over the years, showing that it takes such attacks seriously. In 2015, it added three security features to the FutureSmart firmware for HP LaserJet Enterprise printers: BIOS validation, firmware code-signing and integrity verification and runtime intrusion detection. The researchers performed their analysis on a 2013 FutureSmart firmware version.
In its security bulletin, HP describes CVE-2021-39237 as an information disclosure flaw but rates it as high severity. The F-Secure researchers tell CSO that HP's patches for this vulnerability renders the EFI, Linux and Windows CE consoles as read-only, so input is no longer allowed, and that a password was added for the Telnet connection between the Linux environment and Windows CE.
Remotely exploitable HP printer vulnerability
The second vulnerability, tracked as CVE-2021-39238, is much more dangerous because it can be exploited in multiple ways including remotely to trigger a buffer overflow and potentially achieve arbitrary code execution. It consists of two memory corruption issues in the printer's font parsing code that are similar to a font parsing flaw found in Java in 2013 by researcher Joshua J. Drake and used at the Pwn2Own contest.
Since this seems to stem from a more generic issue with font parsing across different implementations in different programming languages, it's possible that devices from other printer vendors might also have this vulnerability, but the F-Secure researchers haven't investigated MFPs from other manufacturers.
The font parsing flaw can be exploited by embedding the exploit into a file and then sending it to be printed through the many printing options offered by the device.
This includes printing from an USB drive (disabled by default on modern firmware versions); printing by connecting directly to the physical LAN port; printing over the network from another device that is in the same network segment, which makes the vulnerability wormable; and printing via a browser by sending an HTTP POST request to the printer's JetDirect port 9100/TCP.
The browser-based printing is the most dangerous attack vector because it enables attacks from outside the local area network. By visiting a compromised or maliciously crafted website, a user's browser can be forced to send requests over the local network to a particular IP address and port. This is known as cross-site printing (XSP).
The same cross-site request forgery vector was used in the past to exploit vulnerabilities in home routers by forcing users' browsers to send malicious requests over their local area networks to the web-based administration interfaces of their routers.
Social engineering a user into printing a malicious document is also a big attack vector, according to the F-Secure researchers, since it might be possible to embed an exploit for the font parsing vulnerabilities in a PDF file. "The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.," the researchers said.
How to mitigate printer vulnerabilities
These are just the latest examples of the many vulnerabilities found in printers over the years. At the Pwn2Own contest earlier this month, the F-Secure team managed to hack into an HP LaserJet MFP and turn it into a jukebox. The vulnerabilities they used for that attack were different and haven't been publicly disclosed yet.
Printers can present hackers with a trove of sensitive information to steal in the form of business files that are sent by employees to be printed but are also full-fledged network computers themselves so they can serve as a foothold inside the network from where to launch other attacks. Unfortunately, they don't have the same level of visibility, threat detection and forensics capabilities as workstations, laptops, servers and other enterprise IT assets.
Defending against printer attacks and mitigating potential printer compromises requires more than just deploying firmware updates on a regular basis, which is an important step. It requires isolating printers in their own network segment that is properly firewalled.
According to the F-Secure researchers, workstations and other endpoint devices should not be able to talk directly to printers, but with a dedicated print server that acts as an intermediary. This will not mitigate all attacks, like sending malicious PDF files with an exploit to a printer via a print server, but it will prevent direct exploitation over protocols like JetDirect. It will also enable an audit trail.
Printers can also be restricted from communicating with each other over such protocols and should be restricted from initiating outbound communications, except to whitelisted IP addresses or hosts. This is to limit the impact of compromises if they do occur, as malicious implants deployed on printers wouldn't be able to reach back to command-and-control servers.
HP also has a security best practices guide for devices running FutureSmart firmware.
