A 16-year-old bug (CVE-2021-3438) in printer driver affects millions of printers worldwide

Experts warn of a 16-year-old vulnerability (CVE-2021-3438) in an HP, Xerox, and Samsung printers driver that an attacker could exploit to gain admin rights on systems.

Researchers from SentinelOne discovered a 16-year-old security vulnerability in an HP, Xerox, and Samsung printers driver that can allow attackers to gain admin rights on systems running the flawed driver.

The discovery was casually made several months ago, while experts were configuring a brand new HP printer, and noticed that an old printer driver from 2005 called SSPORT.SYS was triggering an alert by Process Hacker.

“This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products.” reads the analysis published by SentinelOne.

The vulnerability, tracked as CVE-2021-3438, is a buffer overflow that resides in the SSPORT.SYS driver which is used by some printer models.

Upon installing the printer software, the driver is always installed and activated on the machine, even when the installation is canceled. An attacker with local access could exploit this mechanism to escalate privileges without requiring user interaction.

An attacker with basic user privileges can elevate their privileges to SYSTEM and run code in kernel mode, in this way a malicious code could evade detection of security products.

“Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights. Weaponizing this vulnerability might require chaining other bugs as we didn’t find a way to weaponize it by itself given the time invested.” continues the analysis..

“Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights,” SentinelOne explains.

At the time of the publishing of the report, the experts are not aware of attacks exploiting this vulnerability in the wild, but they expect that threat actors could leverage it in the next future.

HP has published a security advisory (HPSBPI03724) that includes the list of impacted printer models. Xerox also published a security advisory Mini Bulletin (XRX21K) to urge customers to address the vulnerability. 

“While we haven’t seen any indicators that this vulnerability has been exploited in the wild up till now, with millions of printer models currently vulnerable, it is inevitable that if attackers weaponize this vulnerability they will seek out those that have not taken the appropriate action.” concludes SentinelOne.

Below is the disclosure timeline for this flaw:

18 Feb, 2021 – Initial report.
23 Feb, 2021 – We notified HP that the same issue exists in Samsung and Xerox printers.
19 May, 2021 – HP released an advisory for CVE-2021-3438.
20 May, 2021 – We notified HP that the “affected products” listing is incomplete and provided extra information.
01 Jun, 2021 – HP updated the list of affected products.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, CVE-2021-3438)

[adrotate banner=”5″]

[adrotate banner=”13″]