HP Printer Flaw Puts 150 Models at Risk — Install this Patch Right Now

HP Printer Flaw Puts 150 Models at Risk — Install this Patch Right Now
Screenshot: F-Secure via Vimeo

HP printer owners should download the latest firmware to protect their devices from critical security flaws.

Researchers at F-Secure recently revealed serious vulnerabilities affecting approximately 150 HP printer models including HP Colour LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Colour, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation series.

Dubbed “Printing Shellz,” the flaw consists of two separate vulnerabilities that give attackers a way to steal your personal information. The flaw exists in the printers’ communication board and font parser. When exploited, an attacker can gain code execution rights to nab information from the printer or use the machine as a source for further attacks.

The more dangerous of the vulnerabilities, CVE-2021-39238 (CVSS score of 9.3), is a buffer overflow issue that’s wormable, meaning it can dig its way into other vulnerable multi-function printers. Moreover, the flaw can be executed remotely by luring a victim to a malicious website and delivering an exploit payload from the browser to the printer, a technique called cross-site printing.

Before you go Office Space on your HP, there is some reassuring news. A few months after F-Secure disclosed these flaws to HP in April, the tech company released patches to mitigate the risk. HP is now urging customers to go to the HP Software and Driver Downloads page and search for their specific printer model to install the patch. So far, there is no evidence of an exploitation of the vulnerabilities being carried out in the wild.

“Any organisations using affected devices should install the patches as soon as they’re available,” the researchers say. “While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organisations.”

It’s also worth noting that the second issue, CVE-2021-39237 (CVSS score of 7.1), is caused by exposed ports, meaning physical access is required to carry out an attack. This can be done using a USB stick or by connecting to the printer’s Ethernet port. F-Secure recommends keeping the option to print from a USB disabled.

We typically associate malware with laptops, desktops, and banking services, but printers are a frequent target for hackers. In 2017, researchers discovered a group of vulnerabilities in at least 20 network printer models made by well-known brands, HP being one of them. And earlier this year, Microsoft released an emergency patch for a critical bug called “PrintNightmare” that gave attackers access to install malicious code.

Let this be a reminder to always keep your gadgets up-to-date because even the seemingly innocuous tech you have scattered around your house can play host to a cyber attack.