Two of critical vulnerabilities, collectively tracked as Printing Shellz, discovered that impact 150 multifunction printer models. These vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks.
The two vulnerabilities are:
- CVE-2021-39237 – CVSS: 7.1 – An information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP Page Wide, and HP Page Wide Managed printers.
- CVE-2021-39238 – CVSS: 9.3 – A buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise Page Wide, and HP Page Wide Managed products.
Threat actors can exploit both flaws locally via physical access to the vulnerable device, for example by Printing from USB drives. In another scenario attackers printing from another device in the same network segment, the threat actor uses an exploit that replicates itself to other vulnerable MFPs across the network.
Attack scenarios detailed by the researchers that could be surfaced by attackers:
- Printing from USB drives.
- Social engineering a user into printing a malicious document
- Printing by connecting directly to the physical LAN port.
- Printing from another device that is under attacker’s control and in the same network segment.
- Cross-site printing (XSP)
- Direct attack via exposed UART ports
Organizations should install the patches as soon as possible; the public disclosure of the vulnerabilities will likely trigger a wave of attacks attempting to exploit the vulnerabilities.