Security researchers at SentinelOne say a printer driver vulnerability -- unnoticed for 16 years -- affects over 380 HP, Samsung, and Xerox printers. It can be abused to gain user access to a SYSTEM account and the ability to run code in kernel mode. Patches are now available and should be applied.
"Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded", SentinelOne noted. The vulnerable driver is also loaded by Windows on every boot.
Millions of printers will have the printer driver vulnerability. Although the security company said it had seen no sign the bug had been exploited in the wild, recent US advisories suggestChinese APTs typically exploit within days of a vulnerability's details being made public; prompt patching is urged.
Analysis of the buffer overflow bug -- allocated CVE-2021-3438, with a high CVSS score of 8.8 -- suggests HP didn’t develop the vulnerable driver responsible; the bug may have crept in when it was copied from a project in Windows Driver Samples by Microsoft with very similar functionality.
"The vulnerable function inside the driver accepts data sent from User Mode via IOCTL (Input/Output Control) without validating the size parameter. This function copies a string from the user input using
strncpy with a size parameter that is controlled by the user. Essentially, this allows attackers to overrun the buffer used by the driver," Asaf Amir, VP of Research at SentinelOne said July 19.
Exploitation of the escalation of privilege (EOP) bug gives an unprivileged user access to a SYSTEM account and the ability to run code in kernel mode. As SentinelOne put it in a July 19 blog: "Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products."
"It is highly recommended that in order to reduce the attack surface provided by device drivers with exposed IOCTLs handlers, developers should enforce strong ACLs when creating kernel device objects, verify user input and not expose a generic interface to kernel mode operations," SentinelOne noted.
HP has had patches available since May 19 (updated June 1), but with penetration testers telling The Stack that they typically find companies are updating/patching Operating Systems, but not necessarily third-party software, admins should consider promptly checking and updating their print driver software -- while Microsoft's own ongoing "PrintNightmare" continues to rumble, it seems an opportune moment to double down on ensuring all-things-printer are patched and secured.
SentinelOne first reported the bug to HP (which makes all the affected devices) in February 2021. Users can check HP Security Advisory HPSBPI03724 and Xerox Advisory Mini Bulletin XRX21K for a full list of affected devices.