A Vulnerability in HP Products Could Allow for Arbitrary Code Execution

ITS Advisory Number: 
2018-013
Date(s) Issued: 
Tuesday, January 30, 2018
Subject: 
A Vulnerability in HP Products Could Allow for Arbitrary Code Execution
Overview: 

A vulnerability has been discovered in HP Printer Products, which could allow for arbitrary code execution. Depending on the printer's placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There is no evidence of this vulnerability being exploited in the wild. However, the MS-ISAC has previously observed a variety of printer exploits and defacements affecting Internet-facing printers in state, local, tribal, and territorial governments, especially those located in universities, K-12 schools, and fire stations.

Systems Affected: 
  • HP PageWide Managed MFP P57750dw, J9V82A, J9V82B, J9V82C, J9V82D firmware versions prior to 1708D
  • HP PageWide Managed P55250dw J6U55A, J6U55B, J6U55C, J6U55D firmware versions prior to 1708D
  • HP PageWide Pro MFP 577z K9Z76A, K9Z76D firmware versions prior to 1708D
  • HP PageWide Pro 552dw D3Q17A, D3Q17C, D3Q17D firmware versions prior to 1708D
  • HP PageWide Pro MFP 577dw D3Q21A, D3Q21C, D3Q21D firmware versions prior to 1708D
  • HP PageWide Pro MFP 477dw D3Q20A, D3Q20B, D3Q20C, D3Q20D firmware versions prior to 1708D
  • HP PageWide Pro  452dw D3Q16A, D3Q16B, D3Q16C, D3Q16D firmware versions prior to 1708D
  • HP PageWide Pro MFP 477dn D3Q19A, D3Q19D firmware versions prior to 1708D
  • HP PageWide Pro  452dn D3Q15A, D3Q15B, D3Q15D firmware versions prior to 1708D
  • HP PageWide MFP 377dw J9V80A, J9V80B firmware versions prior to 1708D
  • HP PageWide 352dw J6U57B firmware versions prior to 1708D
  • HP OfficeJet Pro 8730 All-in-One Printer D9L20A firmware versions prior to 1708D
  • HP OfficeJet Pro 8740 All-in-One Printer D9L21A firmware versions prior to 1708D
  • HP OfficeJet Pro 8210 Printer D9L63A, D9L64A firmware versions prior to 1708D
  • HP OfficeJet Pro 8216 Printer T0G70A firmware versions prior to 1708D
  • HP OfficeJet Pro 8218 Printer J3P68A firmware versions prior to 1708D

 

RISK
GOVERNMENT
Large and medium government entities: 
High
Small government entities: 
High
BUSINESS
Large and medium business entities: 
High
Small business entities: 
High
Home Users: 
Low
Description: 

A vulnerability has been discovered in HP products, which could allow for arbitrary code execution. Depending on the printer's placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

According to the Network Security company Tenable, a directory traversal vulnerability exists allowing access to the profile.d directory. This world writable directory contains scripts that get executed at startup, leading to possible arbitrary code execution.

Actions: 
  • After appropriate testing, immediately install the updates provided by HP to vulnerable systems.
  • Change all default printer login credentials and/or passwords.
  • Implement the same security policies for printers as would be implemented on any networked system.
  • Restrict inbound access to only authorized IP addresses, machines, and/or users.
  • Disable unnecessary functions, services, and/or ports.
  • Log printer activity and connections, and retain logs for a minimum of 90 days.
  • Implement security features offered by printer manufacturers that include measures such as hard drive encryption, automated deletion of printer jobs, and drive overwrite capabilities.