Researchers discover high-severity, 16-year-old flaw in drivers for millions of HP, Samsung and Xerox printers
Security researchers from SentinelOne have uncovered an ancient vulnerability in the drivers used by printers from three big manufacturers.
The high-severity security vulnerability -- which is being tracked as CVE-2021-3438 -- affects drivers for HP, Samsung and Xerox printers and has evaded detected for 16 years. In all, around 400 printer models are at risk, leaving millions of printers exposed to the danger of the serious privilege escalation vulnerability.
See also:
- Sequoia: Linux kernel security flaw gives unprivileged users root access
- After waking up from PrintNightmare, Microsoft has a workaround for another Windows Print Spooler vulnerability
- HiveNightmare: Windows 10 and Windows 11 have a security vulnerability that can be exploited to gain administrative access to the registry
SentinelOne researchers warn that if left unpatched, the security flaw could allow for privilege elevation which in turn could enable a unprivileged user to access a system account and run code in kernel mode. They say: "Successfully exploiting a driver vulnerability might allow attackers to potentially install programs, view, change, encrypt or delete data, or create new accounts with full user rights. Weaponizing this vulnerability might require chaining other bugs".
The potential impact of the security flaw is high for various reasons, as SentinelOne's Asaf Amir explains in a post about the issue:
Just by running the printer software, the driver gets installed and activated on the machine regardless of whether you complete the installation or cancel.
Thus, in effect, this driver gets installed and loaded without even asking or notifying the user. Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot:
This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected.
The bug was discovered some months ago, as revealed in the disclosure timeline:
- 18 Feb, 2021 - Initial report.
- 23 Feb, 2021 - We notified HP that the same issue exists in Samsung and Xerox printers.
- 19 May, 2021 - HP released an advisory for CVE-2021-3438.
- 20 May, 2021 - We notified HP that the “affected products” listing is incomplete and provided extra information.
- 01 Jun, 2021 – HP updated the list of affected products.
The good news is that there are patches available, and full information about the steps to take can be found in HP Security Advisory HPSBPI03724 and Xerox Advisory Mini Bulletin XRX21K where you will also find a complete list of affected printers.
Image credit: victoras / Shutterstock