Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.
The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them ([1], [2]) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.
The two vulnerabilities are:
- CVE-2021-39237 (CVSS score: 7.1) – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.
- CVE-2021-39238 (CVSS score: 9.3) – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.
“We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.“
Below are the attack scenarios detailed by the researchers:
- Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
- Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
- Printing by connecting directly to the physical LAN port.
- Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
- Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
- Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.
