HP Printer Hijack Bugs Impact 150 Models
Security researchers have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models.
F-Secure security consultants Timo Hirvonen and Alexander Bolshev have written up their findings in a detailed report, Printing Shellz.
Specifically, they found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP’s MFP M725z device. They turned out to affect scores more products in the FutureSmart line dating back to 2013.
CVE-2021-3928 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website, to conduct a “cross-site printing” attack. Here, the website would automatically print a document containing a maliciously crafted font on a vulnerable MFP, said F-Secure.
This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned or faxed information, including device passwords.
The report claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals.
The bugs are also wormable, meaning multiple MFPs on the same network could be automatically impacted.
“It’s easy to forget that modern MFPs are