- This robot vacuum and mop performs as well as some flagship models - but at half the price
- Finally, a ThinkPad model that checks all the boxes for me as a working professional
- This LG flagship soundbar took my home theater to the next level - and it's $500 off right now
- I found the ultimate laptop accessory for power users - and it's gloriously designed
- ExpressVPN vs NordVPN: Which VPN is best for you?
HP Printer Hijack Bugs Impact 150 Models
Security researchers have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models.
F-Secure security consultants Timo Hirvonen and Alexander Bolshev have written up their findings in a detailed report, Printing Shellz.
Specifically, they found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP’s MFP M725z device. They turned out to affect scores more products in the FutureSmart line dating back to 2013.
CVE-2021-3928 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website, to conduct a “cross-site printing” attack. Here, the website would automatically print a document containing a maliciously crafted font on a vulnerable MFP, said F-Secure.
This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned or faxed information, including device passwords.
The report claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals.
The bugs are also wormable, meaning multiple MFPs on the same network could be automatically impacted.
“It’s easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organization’s infrastructure and operations,” explained F-Secure’s Hirvonen.
“Experienced threat actors see unsecured devices as opportunities, so organizations that don’t prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research.”
HP has issued patches for the vulnerabilities, which are described as “medium” (CVE-2021-39237) and critical severity (CVE-2021-39238).
Although they’re only thought to be exploitable by advanced targeted attackers, enterprises were urged to patch them as soon as possible.