Security researchers have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models.
F-Secure security consultants Timo Hirvonen and Alexander Bolshev have written up their findings in a detailed report, Printing Shellz.
Specifically, they found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP’s MFP M725z device. They turned out to affect scores more products in the FutureSmart line dating back to 2013.
CVE-2021-3928 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website, to conduct a “cross-site printing” attack. Here, the website would automatically print a document containing a maliciously crafted font on a vulnerable MFP, said F-Secure.
This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned or faxed information, including device passwords.
The report claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals.
The bugs are also wormable, meaning multiple MFPs on the same network could be automatically impacted.
“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations,” explained F-Secure’s Hirvonen.
“Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”
HP has issued patches for the vulnerabilities, which are described as “medium” (CVE-2021-39237) and critical severity (CVE-2021-39238).
Although they’re only thought to be exploitable by advanced targeted attackers, enterprises were urged to patch them as soon as possible.
Phil Muncaster UK / EMEA News Reporter, Infosecurity Magazine