Printers can be an invisible enemy to business organizations – flying under the radar when it comes to conducting proper asset and endpoint management, and all the while exposing networks to unpatched vulnerabilities.
With that in mind, a new technical write-up from F-Secure on Tuesday details a pair of bugs that two of its security consultants found in more than 150 printer products from HP Inc. In early November, HP issued patches for these flaws, which consist of a critical and wormable buffer overflow bug, CVE-2021-39238, as well as an information disclosure vulnerability, CVE-2021-39237.
The good news, according to F-Secure, is that the HP vulnerabilities require skills to exploit, so a large wave of attacks against these flaws are unlikely. However, “vulnerabilities like [these] continue to rear their ugly head because organizations often lack the ability to fully patch outdated systems or lack 100 percent visibility into everything on their network,” said Ted Driggs, director of product management at ExtraHop. Case in point: "Printer vulnerabilities and associated vulnerabilities in the Microsoft Print Spooler service have become a common tool in many cybercriminal toolkits over the past year.”
Indeed, F-Secure consultants Alexander Bolshev and Timo Hirvonen warn in both their report and a corresponding FAQ document that modern-day multifunction printers (MFPs) can be an alluring target to exploit because attackers can sometimes swipe credentials used to access them, or steal other sensitive information that passes through them or is cached on the device. Moreover, adversaries can compromise MFPs to infect connected USB storage devices.
Making matters worse, it may be a while before victimized companies even catch on that they have been targeted. That’s because many organizations “don’t treat printers like other types of endpoints,” meaning they don’t subject them to the normal rigors of cybersecurity hygiene, they explained.
Chris Goettl, vice president of product management for security products at Ivanti, agreed that from a patch management point of view, printers tend to “fall further down the list in priority along with many other network appliances.” But why the oversight?
“It might be because IT does not consider printers as a potential risk/entry point in compromising the infrastructure,” theorized Bolshev in an email interview with SC Media.
Goettl agreed with this suggestion, noting that printers have historically been targeted less often by cybercriminals, “so vendors of these devices didn’t prioritize security and manageability” as much as they could have. Nor have their users, apparently, even though it’s safe to assume cybercriminals are looking to exploit MFPs just like any other endpoint.
We’ve seen this flawed philosophy before. Consider how users of Mac and Linux machines for years have held on to a false sense of security simply because most cybercriminals historically targeted Windows over these other operating systems. And yet, today, malware targeting Mac and Linux machines is hardly a rarity anymore.
Experts offered up an additional reason security teams have failed to shore up connected printer security: a lack of specialized expertise and available bandwidth among the workforce.
“Unlike servers or network devices, which usually have dedicated teams, printers are usually managed by people who perform multiple IT support tasks; hence they are rarely addressed,” he explained.
On top of that, updating firmware for printers can be a time-consuming process for a busy IT or security team. Case in point: HP’s customer support guidance for managing firmware in its LaserJet and multifunction printers says to “disable Remote Firmware Updates (RFU) except when you are planning to do a firmware update,” noted Goettl. “It then proceeds to show you steps on how to disable/enable RFU through three different methods, all of which require going to each printer either by web console, direct IP or manually on the printer to enable RFU. Then you need to update the firmware, and finally disable RFU again.”
For additional help, some user organizations may have to seek external expertise. “Most printer security guidance you will find are things like education, securing physical access to the printer, changing default passwords, and using encrypted connections for printer admin controls,” said Goettl. “For more robust capabilities you typically need to seek out a service provider specifically for printer maintenance and security.”
Aside from being overlooked as a threat vector, printers create another security issue when an attack actually does occur: According to the F-Secure report, there is a lack of forensic tools designed specifically to recover attack evidence from MFPs and similar devices – which means investigators may have little to go on when a printer is the primary intrusion point.
“Unlike desktop computers or servers, printers are embedded devices,” Bolshev explained to SC Media. “They differ in the architecture and software even within a single vendor, so it's pretty impossible to invent some unified approach here. Hence, I do not see that any kind of such tools will ever emerge at all.”
“Printers fall into the category of what many vulnerability scanners refer to as fragile devices. They do not respond well to forms of direct assessment,” Goettl added. “Falling back to passive monitoring of network traffic for printers is the solution to monitoring for bad behavior and looking into logs on the print server or the client system that executed the print job is where you can find common methods of capturing details about the printer. ... There is very little capability to understand what someone may have done to the printer directly.”
According to the F-Secure report, the HP vulnerabilities have existed since at least 2013 and can be leveraged for malicious code execution (in some cases by remote actors), resulting in possible information theft and network compromise, or the printing of a maliciously crafted document. The wormable nature of the buffer overflow vulnerability is particularly troubling due to its potential to propagate in automated fashion among connected devices. Fortunately, there are steps organizations can take to help minimize the scope and spread of an attack.
For starters, Bolshev recommended that companies place their printers into a separate, firewalled VLAN. “The workstations should communicate with a dedicated print server, and only the print server should talk to the printers. This is important since, without proper network segmentation, the vulnerability could be exploited by a malicious website that sends the exploit directly to port 9100 from the browser,” he explained.
Additionally, “to hinder lateral movement and C&C communications from a compromised MFP, outbound connections from the printer segment should be allowed to explicitly listed addresses only,” Bolshev continued. “Finally, it is recommended to follow HP’s best practices for securing access to device settings to prevent unauthorized modifications to any security settings.”
Goettl also advised companies to “standardize on a specific printer vendor and a set of printer models that lets you consistently manage security across the MFPs.” This helps having to unify management across multiple printer brands, which he said can be “very cumbersome.”
Practice basic hygiene, Goettl continued, by conducting regular maintenance and firmware patching; disabling any “unnecessary ports, protocols or services;” and configuring devices to use security routing protocols. Other recommendations, include “implementing shadow copies” and requiring a form of ID or authentication in order to release the job at the printer.
HP on Nov. 1 addressed the two flaws in a pair of security advisories (1, 2), one of which was updated Tuesday to account for a revised affected product chart. The company also supplied SC Media with the following statement: "HP constantly monitors the security landscape and we value work that helps identify new potential threats. ... The security of our customers is a top priority and we encourage them to always stay vigilant and to keep their systems up to date."