Security researchers at F-Secure have identified a critical vulnerability (CVE-2021-39238) affecting more than 150 different models of HP LaserJet, LaserJet Managed, PageWide and PageWide Managed printers and MFPs. The vulnerability allows, by sending a specially designed PDF document for printing, to cause a buffer overflow in the font handler and achieve the execution of its code at the firmware level. The problem has been manifesting since 2013 and fixed in firmware updates published on November 1 (the manufacturer was notified of the problem in April).
The attack can be carried out both on locally connected printers and on network printing systems. For example, an attacker can use social engineering methods to force a user to print a malicious file, attack the printer through an already hacked user system, or use a technique similar to DNS rebinding, which allows the user to send an HTTP request to the printer's network port (9100/ TCP, JetDirect), not available for direct access via the Internet.
After the vulnerability is successfully exploited, a compromised printer can be used as a springboard to attack a local network, to sniff traffic, or to leave a hidden point of presence for attackers on a local network. The vulnerability is also suitable for building botnets or creating network worms that scan other vulnerable systems and try to infect them. To mitigate the harm from compromised printers, it is recommended to place network printers on a separate VLAN, restrict outbound network connections from printers with a firewall, and use a separate intermediate print server instead of directly accessing the printer from workstations.
The researchers also identified another vulnerability (CVE-2021-39237) in HP printers, which makes it possible to gain full access to the device. Unlike the first vulnerability, the problem has been assigned a moderate severity level, since the attack requires physical access to the printer (you need to connect to the UART port for about 5 minutes).
Source: opennet.ru