HP Multi-Function Printers - Improper validation of an array index
F-Secure discovered a Remote Code Execution (RCE) vulnerability within the firmware of the HP MFP M725z device. The font parser library is vulnerable to a memory corruption issue due to improper validation of an array index (CWE-129). The issue can be exploited remotely using a Cross-Site Printing (XSP) vector as part of a drive-by or social engineering attack via workstations that can communicate directly with the devices’ JetDirect service. It is also possible to trigger and exploit the vulnerability locally using the ‘print from USB’ feature. Approximately 150 different HP MFP models are affected. However, the exploitability of the issue has not been verified by F-Secure in any device other than the M725. This has been reported to the vendor and the issue has been resolved in the latest versions of the firmware.
For a more detailed technical description of the vulnerability, please see the detailed write-up.
Successful exploitation of the issue gives the attacker full control over the device. The impact includes but is not limited to:
- Access to documents that are being scanned and printed
- Network pivoting
- If USB is enabled, access to the USB flash storage which users print from or scan to (this includes reading, tampering with, and infecting the files on the USB)
- Access to credentials stored on the device for, e.g., LDAP integration or network access
- As the exploit can be turned into a network worm, it is possible for a compromised MFP to infect other vulnerable MFPs whose TCP port 9100 can be reached.
There are multiple ways to mitigate the vulnerability. First, printing from USB is disabled by default and should stay that way, as recommended by HP. Second, since an attacker in the same network segment can exploit the vulnerability by communicating directly to JetDirect TCP/IP port 9100, we recommend placing the printers into a separate, firewalled VLAN. All workstations should communicate with a dedicated print server, and only the print server should talk to the printers. This is important since, without proper network segmentation, the vulnerability could be exploited by a malicious website that sends the exploit directly to port 9100 from the browser. To hinder lateral movement and Command & Control communications from a compromised MFP, outbound connections from the printer segment should be allowed only to explicitly listed addresses.
Finally, we recommend following HP’s best practices for securing access to device settings to prevent unauthorized modifications to any security settings. They have an excellent technical white paper titled "HP Printing Security Best Practices for HP FutureSmart Products". This describes the process of using HP Web Jetadmin to secure all printers at the same time.
F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP’s security bulletin.