HP to Release Patch for Security Bugs

HP said it would release firmware patches later this week for several security bugs reported to the company by various cyber-security experts.

The firmware patches address a slew of bugs, among which the most severe is a remote code execution (RCE) flaw discovered and reported by Stephen Breen of NTT Security.

The RCE bug (CVE-2017-2750) affects HP’s top-of-the-line enterprise printer series such as LaserJet and PageWide, but also some OfficeJet and ScanJet models. A full list of affected products is available in the HP security advisory.

Security experts from FoxGlove Security discovered the same flaw earlier this month, along with many others. The FoxGlove team says they decided to take a jab at poking holes in HP printer defenses after the company had gone somewhat overboard with its marketing campaign advertising its printers as nigh unhackable.

HP made a big deal last year after adding technologies to its printers such as Runtime Intrusion Detection, HP Sure Start, and Whitelisting.

HP then enlisted the help of Christian Slater —known for his role in hacker-centric TV show Mr. Robot— to record a FUD video detailing the poor state of printer security and promoting HP products.

FoxGlove experts used a custom-made tool called PRET (Printer Exploitation Toolkit) to break down HP printer firmware and find security flaws.

Researchers released PRET in January this year. The toolkit automates local (USB), network (LAN), and remote (Internet) attacks on printers using known vulnerabilities and standard attack vectors and techniques.

With PRET, FoxGlove experts discovered the same RCE bug Breen found and reported to HP over the summer, but also other issues detailed in the summary below, and in more depth on FoxGlove’s blog.

⩥ Path traversal bug that allows an attacker to access data from the printer job queue (files that are about to be listed).

⩥ A bug that allowed an attacker to modify PostScript printing jobs (document’s printed content).

⩥ An unsecured factory reset function that would allow attackers to reset the printer’s admin password to the default of “not using a password.”

⩥ A design flaw that allows attackers to extract firmware images from the device.

⩥ Researchers failed at uploading malicious firmware on the device, but they were able to upload DLL files for carrying out the RCE attack.

On top of these technical details, FoxGlove researchers also discovered that the design of HP printer settings panels also spread and hid security-related settings deep in the menus. Experts argue this made it harder for printer owners to actually secure these devices up to their full capabilities.

System administrators with HP printers on their network should be on the lookout this week for a firmware update.

Last year, security researcher Chris Vickery warned that hackers could use the storage devices of Internet-exposed HP LaserJet printers to store malicious files.

In other HP-related news, Hewlett Packard Enterprise CEO Meg Whitman announced this week she is stepping down. Withman spent six years as HPE’s CEO and current president Antonio Neri will take her place as future HPE CEO.