Researchers from SentinelOne discovered a 16-year-old security vulnerability in an HP, Xerox, and Samsung printers driver that can allow attackers to gain admin rights on systems running the flawed driver.
The discovery was casually made several months ago, while experts were configuring a brand new HP printer, and noticed that an old printer driver from 2005 called SSPORT.SYS was triggering an alert by Process Hacker.
“This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products.” reads the analysis published by SentinelOne.
The vulnerability, tracked as CVE-2021-3438, is a buffer overflow that resides in the SSPORT.SYS driver which is used by some printer models.
Upon installing the printer software, the driver is always installed and activated on the machine, even when the installation is canceled. An attacker with local access could exploit this mechanism to escalate privileges without requiring user interaction.
An attacker with basic user privileges can elevate their privileges to SYSTEM and run code in kernel mode, in this way a malicious code could evade detection of security products.
“Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights. Weaponizing this vulnerability might require chaining other bugs as we didn’t find a way to weaponize it by itself given the time invested.” continues the analysis..
“Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights,” SentinelOne explains.
At the time of the publishing of the report, the experts are not aware of attacks exploiting this vulnerability in the wild, but they expect that threat actors could leverage it in the next future.
HP has published a security advisory (HPSBPI03724) that includes the list of impacted printer models. Xerox also published a security advisory Mini Bulletin (XRX21K) to urge customers to address the vulnerability.
“While we haven’t seen any indicators that this vulnerability has been exploited in the wild up till now, with millions of printer models currently vulnerable, it is inevitable that if attackers weaponize this vulnerability they will seek out those that have not taken the appropriate action.” concludes SentinelOne.
Below is the disclosure timeline for this flaw:
18 Feb, 2021 – Initial report.
23 Feb, 2021 – We notified HP that the same issue exists in Samsung and Xerox printers.
19 May, 2021 – HP released an advisory for CVE-2021-3438.
20 May, 2021 – We notified HP that the “affected products” listing is incomplete and provided extra information.
01 Jun, 2021 – HP updated the list of affected products.
Follow me on Twitter: @securityaffairs and Facebook
[adrotate banner=”9″] | [adrotate banner=”12″] |
(SecurityAffairs – hacking, CVE-2021-3438)
[adrotate banner=”5″]
[adrotate banner=”13″]
The National Police Agency in South Korea warns that North Korea-linked threat actors are targeting…
The U.S. Department of State imposed visa restrictions on 13 individuals allegedly linked to the…
A cyber attack has been disrupting operations at Synlab Italia, a leading provider of medical…
Russia-linked APT28 group used a previously unknown tool, dubbed GooseEgg, to exploit Windows Print Spooler…
A financially motivated group named GhostR claims the theft of a sensitive database from World-Check…
Researcher demonstrated how to exploit vulnerabilities in the Windows DOS-to-NT path conversion process to achieve…
This website uses cookies.