Cybersecurity researchers from F-Secure have discovered two critical vulnerabilities, collectively tracked as Printing Shellz, that impact approximately 150 multifunction printer models.
The vulnerabilities can be exploited by attackers to take control of vulnerable devices and steal sensitive information, from enterprise networks. The issues date back to 2013 and HP fixed them (, ) in November. The company acknowledged F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev for reporting the vulnerabilities on April 29, 2021.
The two vulnerabilities are:
“We found multiple exploitable bugs in a HP multi-function printer (MFP). The flaws are in the unit’s communications board and font parser.” reads the FAQs published by F-Secure researchers. “An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely. A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.“
Threat actors can exploit both flaws locally via physical access to the vulnerable device, for example by Printing from USB drives. Another attack scenario sees attackers printing from another device in the same network segment, in this case, the threat actor uses an exploit that replicates itself to other vulnerable MFPs across the network.
Below are the attack scenarios detailed by the researchers:
Organizations should install the patches as soon as possible, the public disclosure of the vulnerabilities will likely trigger a wave of attacks attempting to exploit the vulnerabilities.
(SecurityAffairs – hacking, HP multifunction printers)