Updates to address critical printer vulnerabilities issued by HP

Published 12/9/21, 9:00am

HP has issued updates to address several vulnerabilities in HP multi-function (print, scan, fax) printers. Two of the most dangerous vulnerabilities—listed as CVE-2021-38237 (CVSS of 7.2—High) and CVE-2021-39238 (CVSS of 9.3—Critical)—date to 2013 and affect the following HP printing devices: LaserJet, LaserJet Managed, PageWide, and PageWide Managed printers. These flaws could enable a threat actor to steal data and establish network persistence.

In the case of CVE-2021-38237, physical access to the printer is required to exploit the vulnerability. However, an experienced hacker could perform the attack and deploy an implant in less than five minutes, enabling full control of the device and exfiltration of sensitive information, including login credentials.

The more severe of the two bugs—CVE-2021-39238—is a buffer overflow issue in the firmware’s font parsing code. It is also wormable, meaning it could spread from a single affected printer across a network. Attackers would first entice a victim to a malicious website. Once on the website, the attacker would then send remote and malicious instructions to the printer to introduce the malware. Once the printer is compromised, an attacker could read any documents being printed and then move laterally within the network.  

Next Steps

HP is urging organizations to patch their printer firmware as soon as possible to avoid the possibility of an internal or external threat actor exploiting the flaws.