Recent security research has unveiled a significant vulnerability within the firmware of numerous Hewlett Packard (HP) enterprise printer models. This security flaw, identified as CVE-2017-2750, has been rated with a high severity score of 8.1 on the Common Vulnerability Scoring System (CVSS). It presents a potential risk for attackers seeking to exploit these printers remotely, enabling them to execute arbitrary code.
The vulnerability arises from inadequate verification processes for portions of Dynamic Link Libraries (DLLs), which affects 54 models, including HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise, and OfficeJet Enterprise printers. The discovery of this remote code execution (RCE) vulnerability was made by researchers from FoxGlove Security during a security analysis of HP’s MFP-586 printer and the HP LaserJet Enterprise M553 model.
In a detailed technical report released by FoxGlove Security, researchers disclosed their methodology for reverse engineering “.BDL” files utilized in HP Solutions and firmware updates. They uncovered that this proprietary binary format lacks publicly available documentation, prompting their efforts to decipher its contents for insights regarding firmware updates and solutions. Although HP has implemented signature validation mechanisms to counter tampering with the printer systems, researchers indicated a potential method to circumvent these defenses by manipulating specific integer values within the DLL file.
These findings demonstrate that researchers were able to break past the digital signature validation specific to HP software “Solution” packages, which allowed for the integration of a malicious DLL payload, ultimately leading to the execution of arbitrary code on the targeted printers.
FoxGlove Security has publicly shared the source code for tools employed during their examination on GitHub, including a proof-of-concept malware payload designed for remote installation on the printers. This proof-of-concept malware is capable of downloading external files, executing specified commands on the printer, and repeating these actions at timed intervals.
In response to this vulnerability, which was reported to HP in August, the company has since released critical firmware updates addressing the discovered issue. Business owners who utilize these HP models are strongly advised to download the latest firmware updates to bolster their defenses against potential exploitation.
To apply the updates, users can navigate to the HP website, select Support, and subsequently access the Software & Drivers section. By entering the printer’s model number in the search box, users can locate the required firmware files for download.
This incident highlights the importance of proactive measures in cybersecurity, especially as printers increasingly become a target for cyber threats. Understanding the mechanisms of these vulnerabilities, including tactics such as initial access and privilege escalation within the MITRE ATT&CK framework, can empower organizations to better protect their assets from similar exploits in the future.
In conclusion, staying vigilant about firmware updates and security protocols is critical for maintaining a robust defense against evolving cyber threats. As the landscape of cybersecurity continuously shifts, ensuring that all devices connected to corporate networks are secured is essential to mitigating risks.