"HP Printer Hijack Bugs Impact 150 Models"

Security researchers at F-secure have discovered two vulnerabilities in multi-function printers (MFPs) which impacted 150 product models.  Specifically, the researchers found a physical access port vulnerability (CVE-2021-39237) and a font parsing bug (CVE-2021-39238) in HP’s MFP M725z device. These vulnerabilities turned out to affect scores more products in the FutureSmart line dating back to 2013.  CVE-2021-39238 is the more dangerous of the two as it can be exploited remotely, potentially by tricking an employee into visiting a malicious website to conduct a “cross-site printing” attack. Here, the website could automatically print a document containing a maliciously crafted font on a vulnerable MFP, said the researchers.  This would allow an attacker to execute arbitrary code on the machine to steal any printed, scanned, or faxed information, including device passwords.  The researchers also claimed that it could also enable attackers to launch deeper attacks into the corporate network to spread ransomware, steal data from more sensitive data stores and achieve other goals.  The researchers also found that the bugs are wormable, meaning multiple MFPs on the same network could be automatically impacted.  HP has issued patches for the vulnerabilities, which are described as “medium” (CVE-2021-39237) and critical severity (CVE-2021-39238).

Infosecurity reports: "HP Printer Hijack Bugs Impact 150 Models"