Security Flaws In 150 HP Printers Let Hackers Steal Your Data But Is Your Model Affected?
Security researchers at F-Secure discovered security vulnerabilities affecting over 150 multi-function printer models from HP. That's the bad news. The worse news is, in addition to impacting so many printer models, these are labeled as Critical and High security flaws. Ready for the good news? HP has issued patches.
The disclosure comes on the heels of the PrintNightmare fiasco, though these are different bugs. According to security consultants Timo Hirvonen and Alexander Bolshev, the vulnerabilities have been around since at least 2013 and "in all likelihood, a lot of companies are using" affected printer models.
Out of the two vulnerabilities, the more serious of the two is tracked as CVE-2021-39238 with a Critical 9.3 rating. It's a font parsing bug, but part of what earned it a Critical rating is that it's wormable. That means attackers could create self-propagating malware that could spread to other vulnerable devices on the same network.
The other one with a High security rating of 7.1 is tracked as CVE-2021-39237. HP describes it as an information disclosure bug, with F-Secure adding that an attacker with code execution rights could silently steal cached information.
"This includes not only documents that are printed, scanned, or faxed, but also information like passwords and login credentials that connect the device to the rest of the network. Attackers could also use compromised MFPs as a beachhead to penetrate further into an organization’s network in pursuit of other objectives (such as stealing or changing other data, spreading ransomware, etc.)," F-Secure says.
That said, an attacker would need local access to a printer to exploit the vulnerability, hence the lower rating. In addition, F-Secure says these attacks require some skill to pull off, meaning they're likely too difficult for more casual hackers to exploit. Still, organizations that face high-skilled hackers should especially take these vulnerabilities seriously.
We can't find where HP outlines all 150+ models that are affected, though more broadly, the company notes these vulnerabilities exist on certain LaserJet, LaserJet Managed, PageWide, and PageWide units. Regardless of your printer model, you should check to see if there is an update available and if so, apply it right away.
