150+ HP multifunction printers open to attack (CVE-2021-39237, CVE-2021-39238)

Over 150 HP multifunction printers (MFPs) are open to attack via two exposed physical access port vulnerabilities (CVE-2021-39237) and two different font parsing vulnerabilities (CVE-2021-39238) discovered by F-Secure security consultants Timo Hirvonen and Alexander Bolshev.

Attackers can exploit the vulnerabilities to seize control of vulnerable devices, steal information, and further infiltrate networks to inflict other types of damage, but the good news is that, earlier this month, HP has issued firmware updates that patch the vulnerabilities.

About the vulnerabilities (CVE-2021-39237, CVE-2021-39238)

“The flaws are in the unit’s communications board and font parser. An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely,” the researchers explained.

The most effective attack method would involve tricking a user from a targeted organization into visiting a malicious website, exposing the organization’s vulnerable MFP to what’s known as a cross-site printing attack. The website would, automatically, remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device.

An attacker with these code execution rights could silently steal any information ran (or cached) through the MFP. This includes not only documents that are printed, scanned, or faxed, but also information like passwords and login credentials that connect the device to the rest of the network.

Attackers could also use compromised MFPs as a beachhead to penetrate further into an organization’s network in pursuit of other objectives (such as stealing or changing other data, spreading ransomware, etc.)

While the researchers determined that exploiting the vulnerabilities is difficult enough to prevent many low-skilled attackers from using them, experienced threat actors could make use of them in more targeted operations.

Furthermore, the researchers discovered the font parsing vulnerabilities are wormable, meaning attackers could create self-propagating malware that automatically compromises affected MFPs and then spreads to other vulnerable units on the same network.

“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organizations infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research,” explained Hirvonen.

Advice for securing MFPs

Hirvonen and Bolshev contacted HP last spring with their findings and worked with them to help patch the vulnerabilities.

Considering HP’s status as a leading provider of MFPs, many companies throughout the globe are likely using vulnerable devices.

While the attack’s difficulty makes it impractical for some threat actors, the researchers say that it’s important for organizations targeted by advanced attacks to secure their vulnerable MFPs.

In addition to patching, measures for securing MFPs include:

• Limiting physical access to MFPs
• Segregating MFPs in a separate, firewalled VLAN
• Using anti-tamper stickers to signal physical tampering with devices
• Following vendors’ best practices for preventing unauthorized modifications to security settings
• Placing MFPs in CCTV-monitored areas to record any physical usage of hacked device at the time it was compromised.

“Large enterprises, companies working in critical sectors, and other organizations facing highly-skilled, well-resourced attackers need to take this seriously. There’s no need to panic, but they should assess their exposure, so they’re prepared for these attacks. Although the attack is advanced, it can be mitigated with the basics: network segmentation, patch management, and security hardening,” said Hirvonen.

While there’s no indication that threat actors are actively exploiting these vulnerabilities, defenders can detect an attack by monitoring the network traffic and doing log analysis, the consultants said.

“There aren’t many forensic tools capable of recovering evidence from MFPs and similar devices, so attackers that successfully exploit these flaws will leave very little evidence behind. It’s a good option for adversaries that need stealth.”