Multiple Vulnerabilities in HP Printer Products Could Allow for Remote Code Execution

ITS Advisory Number: 
2018-080 - UPDATED
Date(s) Issued: 
Wednesday, August 8, 2018
Date Updated: 
Tuesday, August 14, 2018
Subject: 
Multiple Vulnerabilities in HP Printer Products Could Allow for Remote Code Execution
Overview: 

Multiple Vulnerabilities have been discovered in HP Printer products, which could allow for remote code execution. Depending on the printer's placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

 

THREAT INTELLIGENCE:

There is no evidence of these vulnerabilities being exploited in the wild. However, the MS-ISAC has previously observed a variety of printer exploits and defacements affecting Internet-facing printers in state, local, tribal, and territorial governments, especially those located in universities, K-12 schools, and fire stations.

 

August 14 - UPDATED THREAT INTELLIGENCE:

The vulnerabilities in the communication protocols of fax machines were detailed recently at the DEF CON 26 Hacking Conference in Las Vegas. Security researchers Yaniv Balmas and Eyal Itkin from Check Point Software Technologies were able to demonstrate that fax machines could be compromised via access to its exposed and unprotected telephone line.

Systems Affected: 

Refer to the list in the HP Security Bulletin for the full list of affected printer systems. Please see the reference section for more details.

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
High
Description: 

Multiple Vulnerabilities have been discovered in HP products, which could allow for remote code execution. An attacker can exploit these vulnerabilities by sending a maliciously crafted file to an affected device which can cause a stack or static buffer overflow (CVE-2018-5924, CVE-2018-5925). Depending on the printer's placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

 

August 14 - UPDATED DESCRIPTION:

Multiple vulnerabilities have been discovered in HP products, which could allow for remote code execution. An attacker can exploit these vulnerabilities by sending a maliciously crafted file to an affected device which can cause a stack or static buffer overflow (CVE-2018-5924, CVE-2018-5925). Most recently, security researchers, Yaniv Balmas and Eyal Itkin, from Check Point Software Technologies were able to demonstrate that if an attacker has access to a fax number, he can send a maliciously crafted fax to exploit these vulnerabilities and potentially install ransomware, spyware, cryptominers, and/or data stealers. The successful exploitation of the most severe of these vulnerabilities could also allow an attacker to take control of an entire network. The researchers demonstrated the exploit in HP Officejet Pro All-in-One fax printers, which use the same protocols as many other brands of faxes, multifunction printers and online fax services. Depending on a printer's placement on the network, an attacker could also potentially view, change, or delete data; or create new accounts with full user rights.

 

Actions: 
  • Change all default printer login credentials and/or passwords.

  • After appropriate testing, apply updates provided by HP to vulnerable systems immediately.

  • Implement the same security policies for printers as would be implemented on any networked system.

  • Restrict inbound access to only authorized IP addresses, machines, and/or users.

  • Disable unnecessary functions, services, and/or ports.

  • Log printer activity and connections, and retain logs for a minimum of 90 days.

  • Implement security features offered by printer manufacturers that include measures such as hard drive encryption, automated deletion of printer jobs, and drive overwrite capabilities.