HP multi-function printer vulnerabilities: what you need to know
Earlier this year, WithSecure security consultants Alexander Bolshev and Timo Hirvonen discovered multiple vulnerabilites in HP multi-function printers (MFPs). Their research demonstrates how these can be exploited to gain control of the device software, steal documents, and move laterally through the target's network infrastructure.
2 exploitable bugs were found on an HP LaserJet Enterprise MFP M725, in the unit’s communications board and font parser, specifically:
- CVE-2021-39237: 2 x exposed physical ports that grant full access to the device
- CVE-2021-39238: 2 x font parsing vulnerabilities
These can both be used maliciously to gain code execution rights. While the communications board issue requires physical access, the latter can be accomplished remotely.
A successful attack would allow an attacker to achieve various objectives, including:
- Overriding the manufacturer settings to allow printing from USB drives
- Socially engineering a user into printing a malicious document, e.g., it may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF
- Printing by connecting directly to the physical LAN port
- Printing from another device under the attacker’s control and in the same network segment (which implies that the respective flaw (CVE-2021-39238) can used to create a worm that replicates itself to other vulnerable MFPs across the network)
- Cross-site printing (XSP), i.e., sending the exploit to the printer directly from browser using an HTTP POST to JetDirect port 9100/TCP
- Using exposed UART ports (mentioned in CVE-2021-39237) for a direct attack (where the attacker has physical access to the device)
Despite our research being limited to the one specific model, HP’s own security advisories advise that the vulnerabilities affect over 150 products:
After receiving our report, the vendor has now resolved in the latest versions of the firmware.
(While it is possible that devices from other vendors have similar issues, we have not performed research into other MFPs.)
We've released full advisory on the vulnerabilities, including mitigations, and invite organizations to access the advisory and read the background resources listed below.
Labs research: Printing Shellz
For readers interested in the original research, Printing Shellz covers the background to the project, Alex and Timo's approach end-to-end in detail, and the wider security conclusions that can be drawn from the findings.