|Product||Certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers|
|Type||Missing Protection Mechanism for Alternate Hardware Interface|
F-Secure found that HP multi-function printers (MFPs) have unlocked shells on the communications board connectors. A malicious actor with physical access to the device might be able to place a temporary or persistent implant via those interfaces. This would allow them to gain control over the printer software, steal documents that are being scanned or printed, attack other printers using a remote code execution vulnerability in the font parser, or move laterally through the network infrastructure.
F-Secure have discovered exposed UART interfaces that provide unlimited access to the shell within the communication board of HP MFPs. One UART interface on the board provides access to the UEFI shell control, the other one to the root Linux shell of the scanner module. F-Secure found the issue on the HP MFP M725z model but there over 150 affected models. The exploitability of the issue has not, however, been verified by F-Secure in any device other than the M725. The issue has been reported to the vendor and resolved in the latest versions of the firmware.
For a more detailed technical description of the vulnerability, please see the detailed write-up.
Malicious actors with physical access to the device are able to dump and tamper with all data that is stored on the system and user partitions of the device. It should be noted that the relevant connectors are large and easy to connect to, which greatly reduces the time and accuracy required for an attacker to connect the wires. The whole procedure of removing the connector board, connecting wires, booting the printer, installing a persistent / in-memory implant, and then removing the wires can take less than five minutes, increasing the risk of someone using this attack. Successful exploitation of the issue gives the attacker full control over the device.
The impact includes but is not limited to:
Unfortunately, the only possible mitigation is to prevent physical access to the device. Reactive measures (such as CCTV monitoring or sealing communication board slots) are also possible and may help detect when a malicious actor is tampering with the device.
F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP's security bulletin.
|2021-04-29||F-Secure Consulting discloses the vulnerabilities to HP|
|2021-05-12||Email from HP with a question about the PoC. F-Secure replies|
|2021-05-13||Email from HP about our plans on publishing the findings. F-Secure replies|
|2021-06-14||HP sends F-Secure a fixed firmware for verification|
|2021-06-16||F-Secure replies with the verification results and some additional questions|
|2021-06-21||F-Secure shares a draft of this blog post with HP|
|2021-11-01||HP publishes their Security Bulletins|
|2021-11-03||F-Secure sends a confidential note to clients urging to patch|
|2021-11-30||F-Secure advisory and paper published|