Critical Printing Shellz flaws impact 150 HP multifunction printer models

Researchers discovered a critical wormable buffer overflow vulnerability that affects 150 different HP multifunction printer models (MFPs).

Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.

The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them ([1], [2]) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.

The two vulnerabilities are:

  • CVE-2021-39237 (CVSS score: 7.1) – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
  • CVE-2021-39238 (CVSS score: 9.3) – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.

We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.

Threat actors can exploit both flaws locally via physical access to the vulnerable device, for example by Printing from USB drives. Another attack scenario sees attackers printing from another device in the same network segment, in this case, the threat actor uses an exploit that replicates itself to other vulnerable MFPs across the network.

Below are the attack scenarios detailed by the researchers:

  • Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
  • Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.

Organizations should install the patches as soon as possible, the public disclosure of the vulnerabilities will likely trigger a wave of attacks attempting to exploit the vulnerabilities.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HP multifunction printers)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini: Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.

This website uses cookies.