HP Multi-Function Printers - Exposed UART Interfaces

CVE-2021-39237

    Type

  • Missing Protection Mechanism for Alternate Hardware Interface

    • Severity

  • High

    • Affected products

  • Certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers

    • Credits

  • The vulnerability was discovered by Alexander Bolshev and Timo Hirvonen.

    • CVE Reference

  • CVE-2021-39237
Read more
Timeline
2021-04-29F-Secure Consulting discloses the vulnerabilities to HP
2021-05-12Email from HP with a question about the PoC. F-Secure replies
2021-05-13Email from HP about our plans on publishing the findings. F-Secure replies
2021-06-14HP sends F-Secure a fixed firmware for verification
2021-06-16F-Secure replies with the verification results and some additional questions
2021-06-21F-Secure shares a draft of this blog post with HP
2021-11-01HP publishes their Security Bulletins
2021-11-03F-Secure sends a confidential note to clients urging to patch
2021-11-30F-Secure advisory and paper published

Description

F-Secure found that HP multi-function printers (MFPs) have unlocked shells on the communications board connectors. A malicious actor with physical access to the device might be able to place a temporary or persistent implant via those interfaces. This would allow them to gain control over the printer software, steal documents that are being scanned or printed, attack other printers using a remote code execution vulnerability in the font parser, or move laterally through the network infrastructure.

Details

F-Secure have discovered exposed UART interfaces that provide unlimited access to the shell within the communication board of HP MFPs. One UART interface on the board provides access to the UEFI shell control, the other one to the root Linux shell of the scanner module. F-Secure found the issue on the HP MFP M725z model but there over 150 affected models. The exploitability of the issue has not, however, been verified by F-Secure in any device other than the M725. The issue has been reported to the vendor and resolved in the latest versions of the firmware.

For a more detailed technical description of the vulnerability, please see the detailed write-up.

Impact

Malicious actors with physical access to the device are able to dump and tamper with all data that is stored on the system and user partitions of the device. It should be noted that the relevant connectors are large and easy to connect to, which greatly reduces the time and accuracy required for an attacker to connect the wires. The whole procedure of removing the connector board, connecting wires, booting the printer, installing a persistent / in-memory implant, and then removing the wires can take less than five minutes, increasing the risk of someone using this attack. Successful exploitation of the issue gives the attacker full control over the device.

The impact includes but is not limited to:

  • Temporary and/or persistent software implant
  • Access to documents that are being scanned and printed
  • Network pivoting
  • Access to credentials stored on the device for, e.g., LDAP integration or network access

Mitigation

Unfortunately, the only possible mitigation is to prevent physical access to the device. Reactive measures (such as CCTV monitoring or sealing communication board slots) are also possible and may help detect when a malicious actor is tampering with the device.

Solution

F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP's security bulletin.