Saturday, September 3, 2016

Printer Security

 on  with No comments 
In , ,  
Here's a quick and dirty post on a serious class of vulnerabilities in Hewlett Packard printers, and most likely other manufacturers devices as well.  It's old information, but a lot of the more gruesome details were news to me at the time I read about it.  It caught my attention when I was researching the proper remediation after seeing the vulnerability flagged by a recent scan.  So naturally, rather than just implement the fix stated in HP's bulletin, I made a detour to Google Scholar and did some additional reading.  I'm not one to just take HP at their word that a firmware update will fix you all up.  Especially when the firmware was already the latest greatest and had been since at least January.

To continue to build fear of all these devices being directly connected to the home network, and then to the Internet, Cui, Costello and Stolfo took a look at HP printers.  They presented a case study of the HP-RFU vulnerability which allows an attacker to inject malware into the printer's firmware by simply sending malicious documents to be printed.  This vulnerability is known to effect 373 different LaserJet firmware images.  Prior work shows the same overall design flaws exist in other embedded systems, however HP is the lucky one to be exploited.  The paper mentions that ATMs, enterprise routers, and PBX equipment can also be vulnerable to a similar attack.  The attack is effective against the majority of LaserJet printers on the market at the time.  Sales numbers show 11.9 million units shipped by HP in just one quarter of 2010.

Not only can malware be uploaded to these printers, in some cases it can be injected permanently.  The boot flash used on some of these printers feature a one time programmable (OTP) feature which allows areas of memory to be permanently programmed.  If an attacker were to write to this area of memory, the malware would not be able to be erased or overwritten, it would take a replacement of the chip at a minimum to remediate, which isn't always possible.   And on the extreme end of this vulnerability, an attacker can theoretically set your printer on fire remotely using this technique.  HP has, of course, denied this last charge claiming that safeguards are in place to prevent it.

More concerning than the ease of which these printers are exploitable is the fact that they found so many vulnerable printers directly accessible across the Internet.  In other words, printers that can theoretically receive print jobs directly from anywhere in the world.  After a scan of the IPv4 address space, they were able to identify 90,847 printers in government, educational, and other sensitive institutions.  Of the printers identified, just over 1% were patched.  They also found that 24.8% of the printers that were patched still had open telnet interfaces with no root password.  64% of the vulnerable printers were located in North America.  65% were found within educational institutions.  201 printers were identified within the U.S. Department of Defense.

Not only are the 90,000+ printers noted in the study vulnerable to this attack, but they also contain third party libraries such as zlib and OpenSSL, which are known to contain several other highly exploitable vulnerabilities.  Note that the 90,000 printers identified only contain vulnerable printers which can be exploited by this attack.  There are no doubt countless other printers (and a wide array of devices besides printers) with other flaws available directly on the Internet.

As for the vulnerability being flagged in the August scan despite the firmware being update between 7 and 8 months prior, your guess is as good as mine.


Post a Comment

Discuss this post!