CIS Logo
tagline: Confidence in the Connected World

Multiple Vulnerabilities in HP Printer Products Could Allow for Remote Code Execution

MS-ISAC ADVISORY NUMBER:

2018-087

DATE(S) ISSUED:

08/07/2018

OVERVIEW:

Multiple Vulnerabilities have been discovered in HP Printer products, which could allow for remote code execution. Depending on the printer’s placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

THREAT INTELLIGENCE:

There is no evidence of these vulnerabilities being exploited in the wild. However, the MS-ISAC has previously observed a variety of printer exploits and defacements affecting Internet-facing printers in state, local, tribal, and territorial governments, especially those located in universities, K-12 schools, and fire stations.

**August 14 – UPDATED THREAT INTELLIGENCE
The vulnerabilities in the communication protocols of fax machines were detailed recently at the DEF CON 26 Hacking Conference in Las Vegas. Security researchers Yaniv Balmas and Eyal Itkin from Check Point Software Technologies were able to demonstrate that fax machines could be compromised via access to its exposed and unprotected telephone line.

RISK:

Government:
  • Large and medium government entities: HIGH
  • Small government entities: HIGH
Businesses:
  • Large and medium business entities: HIGH
  • Small business entities: HIGH
Home Users:
HIGH

TECHNICAL SUMMARY:

Multiple Vulnerabilities have been discovered in HP products, which could allow for remote code execution. An attacker can exploit these vulnerabilities by sending a maliciously crafted file to an affected device which can cause a stack or static buffer overflow (CVE-2018-5924, CVE-2018-5925). Depending on the printer’s placement on the network, an attacker could potentially install programs; view, change, or delete data; or create new accounts with full user rights.

**August 14 – UPDATED TECHNICAL SUMMARY
Multiple vulnerabilities have been discovered in HP products, which could allow for remote code execution. An attacker can exploit these vulnerabilities by sending a maliciously crafted file to an affected device which can cause a stack or static buffer overflow (CVE-2018-5924, CVE-2018-5925). Most recently, security researchers, Yaniv Balmas and Eyal Itkin, from Check Point Software Technologies were able to demonstrate that if an attacker has access to a fax number, he can send a maliciously crafted fax to exploit these vulnerabilities and potentially install ransomware, spyware, cryptominers, and/or data stealers. The successful exploitation of the most severe of these vulnerabilities could also allow an attacker to take control of an entire network. The researchers demonstrated the exploit in HP Officejet Pro All-in-One fax printers, which use the same protocols as many other brands of faxes, multifunction printers and online fax services. Depending on a printer’s placement on the network, an attacker could also potentially view, change, or delete data; or create new accounts with full user rights.

RECOMENDATIONS:

We recommend the following actions be taken:

  • Apply appropriate updates provided by HP to vulnerable systems, immediately after appropriate testing.
  • Change all default printer login credentials and/or passwords.
  • Implement the same security policies for printers as would be implemented on any networked system.
  • Restrict inbound access to only authorized IP addresses, machines, and/or users.
  • Disable unnecessary functions, services, and/or ports.
  • Log printer activity and connections, and retain logs for a minimum of 90 days.
  • Implement security features offered by printer manufacturers that include measures such as hard drive encryption, automated deletion of printer jobs, and drive overwrite capabilities.

REFERENCES:

Get Email Updates When Cyber Threats Like This Arise

Arrow Subscribe to Advisories

Protect Your Systems from Cyber Threats Like This

CIS Controls That Help Avoid This Issue Arrow CIS Control 1: Inventory and Control of Hardware Assets Arrow CIS Control 3: Continuous Vulnerability Assessment and Remediation