Overview of cve-2021-39237 & cve-2021-39238

Cyber security researchers have discovered two vulnerabilities, now named Printing Shellz, that affect 150 different Hewlett Packard (HP) multifunction printers. The flaws could allow an attacker to take control over the devices, extract sensitive information, and infiltrate networks to perform other attacks.  

The vulnerabilities are as follows:  

  • CVE-2021-39237 – This information disclosure vulnerability impacts certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.  
  • CVE-2021-39238 – This buffer overflow vulnerability affects certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products. This vulnerability is wormable and could be exploited to self-propagate to other MFPs on a compromised network.  

The two flaws mean that an attacker could exploit them (located in the unit’s communications board and font parser) and gain code execution rights, which can be done remotely. If successful, attackers can achieve various goals like stealing information or using the compromised machine as a beachhead for future attacks against their target.  

Vulnerability CVE-2021-39237 is exploited when an attacker gains physical access to the device due to two exposed physical ports that grant full access to the device. This flaw could lead to potential information disclosure.  

Vulnerability CVE-2021-39238 can be exploited by embedding an exploit in a PDF document, using social engineering to lure the target into printing the file. An employee from an organization could also be lured into visiting a rogue website which would automatically print a document containing a maliciously crafted font on the vulnerable device, giving the attacker code execution rights over the device. This method of attack is called a cross-site printing attack.  

It would take an attacker under five minutes to exploit both vulnerabilities. If you have any of the HP printer models listed, it’s pertinent that you patch your device immediately. Now that the vulnerabilities are public, threat actors know what to look for and how to exploit them. Patch your devices before it’s too late.  

 

How Avertium is Protecting Our Clients

  • Avertium offers SIEM and EDR services for organizations who need protection against threat actors trying to exploit CVE-2021-39237 and CVE-2021-39238. A robust SIEM Implementation is one of the most effective weapons you can leverage in the increasingly complex battle to secure your organization. Our EDR service will continuously monitor a system for suspicious activity within the security parameter.  
  • If your organization is in need of further protection, you may want to utilize Avertium’s VMaaS (vulnerability management as-a-service) to setup extra safeguards 
  • Reach out to your Service Delivery Manager or Account Executive if you need assistance applying any of the above services. 

Avertium's recommendations

  • To mitigate an attack exploiting vulnerabilities CVE-2021-39237 and CVE-2021-39238, the following is recommended:  
    • Patch your devices immediately (CVE-2021-39237 and CVE-2021-39238 
    • Only allow outbound connections from the printer to a specific list of addresses  
    • Disable printing from USB  
    • Enforce network segmentation. Set up a dedicated print server for communication between workstations and printers. Even without patching, if proper network segmentation best practices are followed, chances of damage from intruders drop significantly. 
    • Place printers into a separate VLAN sitting behind a firewall 
    • Follow HP’s best practices for securing access to device settings. This will prevent unauthorized modifications to security settings.

indicators of compromise (iocs): 

At this time, there are no known IoCs. Avertium’s threat hunters remain vigilant in locating IoCs for our customers. Should any be located, Avertium will disclose them as soon as possible. For more information on how Avertium can help protect your organization, reach out to your Avertium Account Execute 



References

Critical Wormable Security Flaw Found in Several HP Printer Models (thehackernews.com) 

8-year-old HP printer vulnerability affects 150 printer models (bleepingcomputer.com) 

mwri (f-secure.com) 

 

 

Catch up on our latest flash notices: CRITICAL VMWARE VCENTER SERVER FLAW