Vulnerabilities found in HP multi-function printers
Researchers at F-Secure have discovered vulnerabilities in more than 150 HP multifunction printer (MFP) products. These could allow attackers to seize control of vulnerable devices, steal information, and further infiltrate networks to inflict other types of damage.
HP has issued patches to address the vulnerabilities which include exposed physical access port vulnerabilities (CVE-2021-39237) and font parsing vulnerabilities (CVE-2021-39238).
Researchers discovered the problems in the HP MFP M725z -- part of HP's FutureSmart line of printers. However, security advisories published by HP list over 150 different products affected by the vulnerabilities.
Attackers could trick a user from a targeted organization into visiting a malicious website, exposing the organization's vulnerable MFP to what's known as a cross-site printing attack. The website would, automatically, remotely print a document containing a maliciously-crafted font on the vulnerable MFP, giving the attacker code execution rights on the device. This would allow attackers to steal any information going through the MFP. This includes not only documents that are printed, scanned, or faxed, but also information like passwords and login credentials that connect the device to the rest of the network. Attackers could also then use compromised MFPs as a beachhead to penetrate further into an organization's network.
"It's easy to forget that modern MFPs are fully-functional computers that threat actors can compromise just like other workstations and endpoints. And just like other endpoints, attackers can leverage a compromised device to damage an organizations infrastructure and operations. Experienced threat actors see unsecured devices as opportunities, so organizations that don't prioritize securing their MFPs like other endpoints leave themselves exposed to attacks like the ones documented in our research," says F-Secure security consultant Timo Hirvonen.
HP has now published firmware updates and security advisories for the affected devices. F-Secure advises users to take other steps including limiting physical access to MFPs and segregating them in a separate, firewalled VLAN.