SECURITY
SECURITY
SECURITY
Security vulnerabilities found in more than 150 HP multifunction printers
Researchers at cybersecurity solutions firm F-Secure Corp. today revealed they have discovered a range of security vulnerabilities that affect more than 150 multifunction printers from HP Inc.
The researchers, Timo Hirvonen and Alexander Bolshev, started with testing one printer from HP to see if it was vulnerable to hacking. It was, and using those initial findings, they tested other HP devices, finding the widespread nature of the vulnerabilities.
The vulnerabilities include physical access port vulnerabilities and font parsing vulnerabilities. The most effective attack method would involve tricking a user from a targeted organization into visiting a malicious website, exposing the organization’s vulnerable printer to a cross-site printing attack. The website would automatically and remotely print a document containing a maliciously crafted font on the vulnerable printer, giving the attacker code execution rights on the device.
One of the vulnerabilities, with the designation CVE-2021-39238, is also described as wormable, meaning that an attacker could create a self-propagating network worm capable of independently spreading to other vulnerable printers on the same network.
Surprisingly, some of the vulnerabilities dated back to at least 2013. Further complicating matters, the researchers note, many organizations don’t treat printers like other types of endpoints, meaning that security teams often forget about basic security hygiene, such as installing updates.
A successful attack using one of the vulnerabilities can lead to an adversary achieving various objectives, including stealing information or using the compromised printer as a beachhead for future attacks against an organization.
The researchers did note that attacks using the vulnerabilities require some skill to accomplish. As such, many attackers will attempt to find other ways to breach organizations. That said, they note, organizations facing high-skilled, well-resourced threats groups, such as those in critical sectors, should prioritize updating and securing vulnerable printers.
Those updates are now available. Before going public with their findings, Hirvonen and Bolshev worked with HP to address the vulnerabilities. Two security advisories from HP detail the affected products and the patches available.
These sorts of printers “are incredibly common and HP is a market leader,” the researchers conclude. “Smaller organizations should not panic, but larger organizations facing well-resourced/highly-skilled threat actors, and/or organizations involved in critical sectors, should consider this a realistic attack vector. “
Image: HP
A message from John Furrier, co-founder of SiliconANGLE:
Support our mission to keep content open and free by engaging with theCUBE community. Join theCUBE’s Alumni Trust Network, where technology leaders connect, share intelligence and create opportunities.
- 15M+ viewers of theCUBE videos, powering conversations across AI, cloud, cybersecurity and more
- 11.4k+ theCUBE alumni — Connect with more than 11,400 tech and business leaders shaping the future through a unique trusted-based network.
About SiliconANGLE Media
SiliconANGLE Media is a recognized leader in digital media innovation, uniting breakthrough technology, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — with flagship locations in Silicon Valley and the New York Stock Exchange — SiliconANGLE Media operates at the intersection of media, technology and AI.
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a dynamic ecosystem of industry-leading digital media brands that reach 15+ million elite tech professionals. Our new proprietary theCUBE AI Video Cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
