Adversaries exploiting unpatched vulnerabilities become a constant security concern for organizations. Cybersecurity researchers from F-Secure recently discovered multiple critical vulnerabilities in 150 multifunction printers (MFPs) manufactured by Hewlett Packard (HP). The researchers stated the security flaws CVE-2021-39237 and CVE-2021-39238 could enable a remote attacker to take full control of the vulnerable devices, steal information, and further infiltrate networks to inflict other types of damage. The vulnerabilities, dating back to 2013, are now fixed after HP issued security patches.
Vulnerabilities in Detail
- CVE-2021-39237 – This physical access port vulnerability affects certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers to potential information disclosure.
- CVE-2021-39238 – This font parsing vulnerability affects certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed products to potential buffer overflow threats.
Cross-site Printing Attack
The security flaws could allow an attacker to launch a cross-site printing attack on the vulnerable printers’ network. The attacker would first need to trick a victim into visiting a malicious website. The cross-site printing attack involves tricking users from a targeted organization into visiting a malicious website, exposing the organization’s vulnerable MFPs. Once the victim visits the malicious site, the website automatically prints a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device.
“An attacker with these code execution rights could silently steal any information ran (or cached) through the MFP. This includes not only documents that are printed, scanned, or faxed but also information like passwords and login credentials that connect the device to the rest of the network. Attackers could also use compromised MFPs as a beachhead to penetrate further into an organization’s network to pursue other objectives (such as stealing or changing other data, spreading ransomware, etc.),“ the researchers said.
With HP being one of the leading providers of MFPs, many organizations worldwide are likely using vulnerable devices.
While there is no information on exploited vulnerabilities, F-Secure urged organizations to fix their vulnerable MFPs. In addition to patching, the company provided certain measures to secure MFPs against unauthorized intrusions. These include:
- Limiting physical access to MFPs
- Segregating MFPs in a separate, firewalled VLAN
- Using anti-tamper stickers to signal physical tampering with devices
- Using locks to control access to the internal hardware
- Following vendors’ best practices for preventing unauthorized modifications to security settings
- Placing MFPs in CCTV-monitored areas to record any physical usage of a hacked device when it was compromised
“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research,” said F-Secure security consultant Timo Hirvonen.
Explaining on how organizations can mitigate the risks from rising vulnerability exploits, Hirvonen explained, “Organizations need to first get a handle on all their endpoints. Often, we see companies forget or overlook certain devices and endpoints, neglecting to update or even carry out basic cyber hygiene practices – which in the end leads to vulnerabilities as we have seen here.
In this case, in addition to patching, organizations can mitigate the risks by carrying out relatively simple techniques such as limiting physical access to MFPs, segregating MFPs in a separate firewalled VLAN, and following the security hardening guidelines of the vendor. These simple actions will make a huge difference to the overall security posture of the company.”