F-Secure's security experts have found vulnerabilities in over 150 HP multifunction printers. HP is now releasing patches for security vulnerabilities that hackers can exploit to steal information or carry out other attacks on companies.
HP Inc. has released patches for vulnerabilities that cybersecurity vendor F-Secure has discovered in over 150 of its multifunction printers (MFP). According to a study published by F-Secure, attackers can use the vulnerabilities to gain control of unprotected printers, steal information and infiltrate networks in such a way that further damage can be done.
Vulnerabilities affect 150 HP printer models
Two F-Secure security consultants, Timo Hirvonen and Alexander Bolshev, discovered vulnerabilities in the physical access port (CVE-2021-39237) and font parsing (CVE-2021-39238) in the HP MFP M725z, a product from the FutureSmart range of printers from HP. The security advisories published by HP now list over 150 different products that are affected by the vulnerabilities.
The most effective attack method is to convince employees of an attacked company to visit a malicious website. A so-called cross-site printing attack can then be carried out on the unprotected MFP device. The website automatically prints a document on the affected MFP via the Internet. The malicious font contained in the document enables the attacker to execute further code on the printer.
Attack with bad font
An attacker with these rights to execute code could unnoticed steal all data that passes through the MFP device or is cached on it. This includes not only documents that are printed, scanned or faxed, but also sensitive information such as passwords and access data that connect the device to the rest of the network. Attackers could also use infected MFPs as a starting point to penetrate further into a company's network and cause additional damage - for example theft or alteration of other data, spread of ransomware, etc.
According to the security experts, exploiting the vulnerabilities tends to be too complex for many less qualified attackers, but more experienced threat actors can certainly use them for targeted attacks.
Font parsing vulnerability to computer worms
The researchers also found that font parsing vulnerabilities are vulnerable to worms, meaning attackers could create self-propagating malware that automatically infects affected MFPs and then spreads to other unprotected devices on the same network.
“It's easy to forget that modern MFPs are fully functional computers that attackers can manipulate just like other workstations and devices. And just like with other end devices, attackers can exploit an infected device to damage a company's infrastructure and business operations. Experienced cyber criminals see unsecured devices as an opportunity. Companies that do not give the security of their MFPs the same priority as the protection of other end devices expose themselves to the risk of such attacks, as documented in our study, ”explains Hirvonen.
Recommendations for securing MFPs
Given HP's status as a leader in MFPs, with an estimated 40 percent share of the hardware peripherals market, many organizations around the world are likely to have vulnerable devices.
In the spring, Hirvonen and Bolshev contacted HP with their findings and worked with the company to remedy the weaknesses. HP has now released firmware updates and safety notices for the affected devices.
Although some threat actors cannot use the attack method due to the high requirements, the security analysts believe that companies should still protect their MFPs from attackers with a high level of expertise - especially if the company has been exposed to similar attacks in the past.
Possible measures to secure the MFPs in addition to the patches
- Restricting physical access to MFPs
- Establishment of a separate, separate VLAN with firewall for the MFPs
- Use of security labels to detect physical tampering with devices
- Use of locks (e.g. Kensington locks) to control access to hardware
- Compliance with the manufacturer's recommendations to prevent unauthorized changes to the security settings
- Place the MFPs in rooms with camera surveillance to record all physical use of the hacked device at the time of the compromise.
“Large companies, companies in sensitive industries and other organizations that are confronted with highly qualified, well-equipped attackers should take our findings seriously. There is no need to panic, but you should be aware of the specific risks so that you are prepared for these attacks. Even if it is a technically demanding hack, it can be fended off with basic measures such as network segmentation, patch management and tightened security precautions, ”says Hirvonen.
More at F-Secure.com
Via F-Secure Nobody has a better insight into real cyberattacks than F-Secure. We bridge the gap between detection and response. To do this, we leverage the unmatched threat expertise of hundreds of the best technical advisors in our industry, data from millions of devices using our award-winning software, and ongoing innovations in artificial intelligence. Leading banks, airlines and corporations trust our commitment to fight the world's most dangerous cyber threats. Together with our network of top channel partners and over 200 service providers, it is our mission to provide all of our customers with tailored, enterprise-grade cybersecurity. F-Secure was founded in 1988 and is listed on NASDAQ OMX Helsinki Ltd.