Hardware hacking technique gets points for innovation, although some degree of social engineering is required

HP printer vulnerabilities left enterprise networks open to abuse via cross-site printing attack

HP has patched two high-severity flaws impacting more than 150 of its multifunction printers (MFPs) that could allow attackers to seize control of vulnerable devices, steal information, and infiltrate the victim’s network.

Uncovered by F-Secure’s Timo Hirvonen and Alexander Bolshev, the exposed physical access port vulnerability and font parsing vulnerability have apparently been present since 2013.

Read more of the latest network security news

With HP holding 40% of the worldwide hardware peripherals market, according to IDC, affected printers are extremely widespread.

“As devices go, printers often fly under the radar of the usual security stipulations and are seen as different to other types of endpoints,” Bolshev tells The Daily Swig.

“Security teams in many organisations often forget about these devices and the basic security hygiene that goes with them, like installing regular updates and network segmentation.”

Cross-site printing

The vulnerabilities could allow an attacker to launch a so-called ‘cross-site printing’ attack, although a user on the vulnerable printer’s network would first need to be tricked into visiting a malicious website

If successful, the website could remotely print a document containing a maliciously crafted font on the vulnerable printer, giving the attacker code execution rights on the device.

The attacker could then silently steal any information run or cached through the printer – including not only printed, scanned, or faxed documents, but also passwords and login credentials connecting the device to the rest of the network.

YOU MIGHT ALSO LIKE Xerox vulnerability disclosure legal threat withdrawn

Meanwhile, the researchers found, the font parsing vulnerabilities are wormable, allowing attackers to create self-propagating malware that compromises affected printers and spreads across the network.

“A skilled attacker could successfully exploit the physical ports in a little over five minutes. Exploiting the font parser would only take a few seconds,” the researchers say.

“However, these are not low-hanging fruits that would be obvious to many threat actors. The font parsing issue isn’t the easiest to find or exploit, and anything requiring physical access poses logistical barriers for threat actors to overcome.”

The fine print

As well as patching, the researchers recommend tightening up printer security overall. This could include segregating them in a separate, firewalled VLAN and following vendors’ best practices for preventing unauthorized modifications to security settings.

And, they say, physical measures could also be used, such as limiting access to the devices, using anti-tamper stickers, and placing printers in CCTV-monitored areas.

F-Secure informed HP of the vulnerabilities on April 29 this year, and advisories (1, 2) were issued at the beginning of November.

“There was great cooperation in fixing the issues and HP handled this very responsibly,” Hirvonen tells The Daily Swig. “Not all organizations treat security researchers with the same respect HP treated us.”

Head to the F-Secure pressroom for a detailed technical write-up. 

RELATED HP Device Manager exploit gave attackers full control over thin client servers