Printing Shellz FAQ
In spite of organizations’ reduced reliance on paper, printers remain a common presence in offices. Modern multifunction printers (MFPs) provide a variety of services, such as scanning, faxing and a variety of networking features, essentially making them fully-functional computers.
And like most computers, attackers can find ways to compromise these MFPs. Out of professional curiosity, F-Secure security consultants Timo Hirvonen and Alexander Bolshev applied their hacking talents to an MFP unit from HP Inc. Their research led to the discovery of vulnerabilities that affect over 150 different HP products.
Thanks to their professional curiosity, talent, and efforts, HP has now issued patches for the vulnerabilities, essentially improving the security of a significant portion of their MFP units.
Timo and Alexander have now posted a detailed technical write-up of their research on F-Secure Labs. However, we’ve also prepared the below FAQ to provide a quick summary of the research.
Q: Can you give a quick overview of what your research is about?
A: We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser. An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.
Q: Researchers discover vulnerabilities all the time. Why should people care about these?
A: There’s a few reasons.
For one, the vulnerabilities date back to at least 2013 and affect a large number of HP products released. And HP is a large company that sells products all over the world. In all likelihood, a lot of companies are using these vulnerable devices. To make matters worse, many organizations don’t treat printers like other types of endpoints. That means IT and security teams forget about these devices’ basic security hygiene, such as installing updates.
Another reason is that there aren’t many forensic tools capable of recovering evidence from MFPs and similar devices, so attackers that successfully exploit these flaws will leave very little evidence behind. It’s a good option for adversaries that need stealth.
Also, CVE-2021-39238 is wormable, which means an attacker could create a self-propagating network worm capable of independently spreading to other vulnerable MFPs on the same network.
So for these reasons, it is important for organizations to understand this threat and secure their vulnerable MFPs.
Q: Should we expect these vulnerabilities to trigger some sort of massive wave of cyber attacks?
A: No. The attack requires some skill to accomplish. Many attackers will attempt to find other ways to breach organizations. However, organizations facing highly-skilled, well-resourced threat groups, as well as those working in critical sectors, should prioritize updating and securing vulnerable MFPs.
Q: What products are affected?
A: According to HP’s security advisories, the vulnerabilities affect over 150 products:
- https://support.hp.com/us-en/document/ish_5000124-5000148-16/hpsbpi03748
- https://support.hp.com/us-en/document/ish_5000383-5000409-16/hpsbpi03749
Our test device was an HP MFP M725z. We have not tested our research on other devices.
Q: Do products from other vendors have the same problems?
A: It is possible devices from other vendors have similar issues, but we have not performed research into other MFPs.
Q: What exactly are the vulnerabilities or security flaws you discovered?
A: Our research exposed several different flaws, including:
- CVE-2021-39237 (two exposed physical ports that grant full access to the device).
- CVE-2021-39238 (two different font parsing vulnerabilities).
Q: How can attackers exploit the vulnerability/flaw?
A: There are several ways to exploit these flaws, including:
- Printing from USB drives. This is what we used during the research. In the modern firmware versions, printing from USB is disabled by default.
- Social engineering a user into printing a malicious document. It may be possible to embed an exploit for the font-parsing vulnerabilities in a PDF. The opportunities for social engineering are endless: HR printing a CV before a job interview, a receptionist printing a boarding pass, etc.
- Printing by connecting directly to the physical LAN port.
- Printing from another device that is under attacker’s control and in the same network segment. This also implies that the respective flaw (CVE-2021-39238) is wormable, i.e., the exploit can be used to create a worm that replicates itself to other vulnerable MFPs across the network.
- Cross-site printing (XSP): sending the exploit to the printer directly from the browser (by tricking a user into visiting a malicious website, for example) using an HTTP POST to JetDirect port 9100/TCP. This is probably the most attractive attack vector.
- Direct attack via exposed UART ports that are mentioned in CVE-2021-39237, if attacker has physical access to the device for a short period of time.
Q: How difficult is using this attack, how much time and money would an attacker have to invest?
A: A skilled attacker could successfully exploit the physical ports in a little over 5 minutes. Exploiting the font parser would only take a few seconds. However, these are not low-hanging fruits that would be obvious to many threat actors. The font parsing issue isn’t the easiest to find or exploit, and anything requiring physical access poses logistical barriers for threat actors to overcome.
Q: What’s the impact of the vulnerability/flaw?
A: There are a few things attackers could accomplish by exploiting these flaws in the way we’ve described. These vulnerabilities give attackers an effective way to steal information: defenders are unlikely to proactively examine the security of a printer, and so the attacker can simply sit back and steal whatever information it comes across (via employees printing, scanning, etc).
They could also use the MFP as a pivot point to move through the corporate network. Because there are no decent tools to perform forensics on embedded devices, this would make it easy for an attacker to infiltrate an organization and accomplish their goals without leaving evidence that would lead back to the MFP.
Attackers could also create a self-propagating network worm capable of spreading itself to other vulnerable MFPs on the same network.
Q: How big of a problem is it really and for whom?
A: MFPs are incredibly common and HP is a market leader:
However, because the exploit requires a reasonably skilled attacker, smaller organizations should not panic. But larger organizations facing well-resourced/highly-skilled threat actors, and/or organizations involved in critical sectors, should consider this a realistic attack vector.
Q: Is it possible to detect these attacks?
A: Yes! Defenders can detect the attack by monitoring the network traffic, log analysis, etc. In other words, although doing forensics on the device is close to impossible, it’s still possible to detect the attack using methods such as networking monitoring.
Q: Have these vulnerabilities been exploited by threat actors during attacks?
A: We have no evidence or reports of threat actors exploiting these vulnerabilities in attacks.
Q: What was the motivation behind this research?
A: Initially, the main motivation was professional development. Specifically, Timo wanted to work with Alexander on a hardware hacking project to learn more about it. While HP did a good job securing the MFP in some ways, it only took Alexander a few hours to find the first issue. As the research progressed, it was expanded and placed greater emphasis on stealth to develop some new tools and insights for use in red teaming and similar activities.
Q: How much time did it take you to discover the vulnerability/flaw?
A: We discovered the exposed hardware connectors very early on in the project. Finding the font parsing issue required some reverse engineering to find where the font parser is implemented. Once we found the font parser, spotting the vulnerability did not take that long since it’s quite similar to the one exploited by Joshua J. Drake against Java in 2013 (https://optivstorage.blob.core.windows.net/web/file/cc8c4a0be14e4df69cec533244b41a60/Pwn2Own-2013-Java-7-SE-Memory-Corruption.pdf).
Q: When did you inform the vendor?
A: 2021-04-29.
Q: Has the vendor patched the vulnerable products? If so when and where can customers find more information?
Q: The vendor has released firmware updates that patch the vulnerabilities. More information is contained in their advisories:
- https://support.hp.com/us-en/document/ish_5000124-5000148-16/hpsbpi03748
- https://support.hp.com/us-en/document/ish_5000383-5000409-16/hpsbpi03749
A technical write-up of the research is available from F-Secure Labs: https://labs.f-secure.com/publications/printing-shellz.
Q: How important is it for users to patch?
A: Any organizations using affected devices should install the patches as soon as they’re available. While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations.
Q: Why did you choose to make the vulnerability/flaw public?
A: F-Secure is committed to promote coordinated disclosure as well as information security research. We believe that any vendor should be given a chance to address whatever vulnerabilities in a fair manner. At the same time, F-Secure does not believe in security through obscurity and for this reason we try to provide our customers and the public with as much information as possible.
Q: Does this have anything to do with the exploit you used against an HP printer to get it to play AC/DC’s Thunderstruck at the recent Pwn2Own competition in Austin?
A: No. The HP MFP device that was used in the recent Pwn2Own contest is from a different product family and shares no common code/binaries with the MFP unit described in the research documented in our blog post.
However, it is worth mentioning that we’ve now found critical security issues in both of HP’s main MFP product lines, and will publish a write-up for our Pwn2Own research at a later date. Stay tuned!
Q: What else can organizations do to secure their vulnerable MFPs?
A: There are multiple ways to mitigate the vulnerability in the font parser. Firstly, printing from USB is disabled by default and should stay that way, as recommended by HP. Secondly, since an attacker in the same network segment can exploit the vulnerability by communicating directly to JetDirect TCP/IP port 9100, it is recommended to place the printers into a separate, firewalled VLAN . The workstations should communicate with a dedicated print server, and only the print server should talk to the printers. This is important since, without proper network segmentation, the vulnerability could be exploited by a malicious website that sends the exploit directly to port 9100 from the browser. To hinder lateral movement and C&C communications from a compromised MFP, outbound connections from the printer segment should be allowed to explicitly listed addresses only. Finally, it is recommended to follow HP’s best practices (h10032.www1.hp.com/ctg/Manual/c03137192) for securing access to device settings to prevent unauthorized modifications to any security settings.
Categories