|Product||Certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, HP PageWide Managed printers|
|Type||Improper validation of an array index|
F-Secure discovered a Remote Code Execution (RCE) vulnerability within the firmware of the HP MFP M725z device. The font parser library is vulnerable to a memory corruption issue due to improper validation of an array index (CWE-129). The issue can be exploited remotely using a Cross-Site Printing (XSP) vector as part of a drive-by or social engineering attack via workstations that can communicate directly with the devices’ JetDirect service. It is also possible to trigger and exploit the vulnerability locally using the ‘print from USB’ feature. Approximately 150 different HP MFP models are affected. However, the exploitability of the issue has not been verified by F-Secure in any device other than the M725. This has been reported to the vendor and the issue has been resolved in the latest versions of the firmware.
For a more detailed technical description of the vulnerability, please see the detailed write-up.
Successful exploitation of the issue gives the attacker full control over the device. The impact includes but is not limited to:
There are multiple ways to mitigate the vulnerability. First, printing from USB is disabled by default and should stay that way, as recommended by HP. Second, since an attacker in the same network segment can exploit the vulnerability by communicating directly to JetDirect TCP/IP port 9100, we recommend placing the printers into a separate, firewalled VLAN. All workstations should communicate with a dedicated print server, and only the print server should talk to the printers. This is important since, without proper network segmentation, the vulnerability could be exploited by a malicious website that sends the exploit directly to port 9100 from the browser. To hinder lateral movement and Command & Control communications from a compromised MFP, outbound connections from the printer segment should be allowed only to explicitly listed addresses.
Finally, we recommend following HP’s best practices for securing access to device settings to prevent unauthorized modifications to any security settings. They have an excellent technical white paper titled "HP Printing Security Best Practices for HP FutureSmart Products". This describes the process of using HP Web Jetadmin to secure all printers at the same time.
F-Secure strongly encourages installing the firmware update. The list of affected HP MFP models and the instructions for obtaining the updated firmware can be found in HP’s security bulletin.
|2021-04-29||F-Secure Consulting discloses the vulnerabilities to HP|
|2021-05-12||Email from HP with a question about the PoC. F-Secure replies|
|2021-05-13||Email from HP about our plans on publishing the findings. F-Secure replies|
|2021-06-14||HP sends F-Secure a fixed firmware for verification|
|2021-06-16||F-Secure replies with the verification results and some additional questions|
|2021-06-21||F-Secure shares a draft of this blog post with HP|
|2021-11-01||HP publishes their Security Bulletins|
|2021-11-03||F-Secure sends a confidential note to clients urging to patch|
|2021-11-30||F-Secure advisory and paper published|