150 HP Printer Models Affected By 8 Year Old Vulnerability

Many vulnerabilities affecting at least 150 HP multi-function printers have been discovered by security researchers, most dating back to 2013.

F-secure security researchers Alexander Bolshev and Timo Hirvonen made the descovery, and noted that the flaws discovered date back to 2013 which means that it is likely that there have been many users that have been exposed to cyber attacks because of these vulnerabilities since then.

HP has been quick to release fixes for these vulnerabilities as firmware updates for two of the most critical flaws. These fixes are CVE-2021-39237 and CVE-2021-39238. Following these links will give you a full list of all the affected printers. The first flaw applies to two exposed physical ports that can grant full access to the device, by accessign these ports one could gain access to private information. The second is a buffer overflow vulnerability on the fron parser. Exploiting it allows threat actors to execute remote codes. The flaw also allows the threat actor to spread from one printer to the whole network.

Bolshev and Hirvonen discovered these flaws using an HP M725z printer as a test. They notified HP of their findings in April this year and HP then discovered that many other models were also affected. The researchers used the following methods to discover the vulnerabilities:

  • Printing from USB drives, which is what was used during the research too. In the modern firmware versions, printing from USB is disabled by default.
  • Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF.
  • Printing by connecting directly to the physical LAN port.
  • Printing from another device that is under the attacker’s control and in the same network segment.
  • Cross-site printing (XSP): sending the exploit to the printer directly from the browser using an HTTP POST to JetDirect port 9100/TCP. This is the most attractive attack vector.
  • Direct attack via exposed UART ports mentioned in CVE-2021-39237, if the attacker has physical access to the device for a short time.

It is advised that any users with an HP printer should check to see if their printer has been affected, and if it has they should download the firmware updates as well as the following:

  • Disable printing from USB.
  • Place the printer into a separate VLAN sitting behind a firewall.
  • Only allow outbound connections from the printer to a specific list of addresses.
  • Set up a dedicated print server for the communication between workstations and the printers.


Similar Posts