HP Multi-Function Printers - Exposed UART Interfaces
F-Secure found that HP multi-function printers (MFPs) have unlocked shells on the communications board connectors. A malicious actor with physical access to the device might be able to place a temporary or persistent implant via those interfaces. This would allow them to gain control over the printer software, steal documents that are being scanned or printed, attack other printers using a remote code execution vulnerability in the font parser, or move laterally through the network infrastructure.
F-Secure have discovered exposed UART interfaces that provide unlimited access to the shell within the communication board of HP MFPs. One UART interface on the board provides access to the UEFI shell control, the other one to the root Linux shell of the scanner module. F-Secure found the issue on the HP MFP M725z model but there over 150 affected models. The exploitability of the issue has not, however, been verified by F-Secure in any device other than the M725. The issue has been reported to the vendor and resolved in the latest versions of the firmware.
For a more detailed technical description of the vulnerability, please see the detailed write-up.
Malicious actors with physical access to the device are able to dump and tamper with all data that is stored on the system and user partitions of the device. It should be noted that the relevant connectors are large and easy to connect to, which greatly reduces the time and accuracy required for an attacker to connect the wires. The whole procedure of removing the connector board, connecting wires, booting the printer, installing a persistent / in-memory implant, and then removing the wires can take less than five minutes, increasing the risk of someone using this attack. Successful exploitation of the issue gives the attacker full control over the device.
The impact includes but is not limited to:
- Temporary and/or persistent software implant
- Access to documents that are being scanned and printed
- Network pivoting
- Access to credentials stored on the device for, e.g., LDAP integration or network access
Unfortunately, the only possible mitigation is to prevent physical access to the device. Reactive measures (such as CCTV monitoring or sealing communication board slots) are also possible and may help detect when a malicious actor is tampering with the device.
F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP's security bulletin.