Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Faxsploit Allows Remote Code Execution Through HP All-in-One Printers

A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.

Background

Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.

Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access to the printer’s operating system. From there, they were able to check if the printer was connected to a local area network (LAN), and use EternalBlue and Double Pulsar attacks to take control of a separate device on the network.

Vulnerability details

In its report, Checkpoint says it believes this is the first publicly documented example of the EternalBlue and Double Pulsar exploits being used to launch attacks via a printer. EternalBlue is a publicly available module that exploits a remote code execution bug in SMBv1. Double Pulsar is a kernel-level malware usually delivered through the EternalBlue exploit, allowing an attacker to load malware onto the target. Checkpoint used these tools via the fax line on the target printer to infect a separate device on the same network.

At the time of this writing, the PoC only covers HP printers, but the researchers at Checkpoint seemed confident other manufacturers could be similarly exploited.

This video from Checkpoint shows the PoC in action.

Checkpoint worked closely with HP to get these vulnerabilities fixed and patched before disclosing their research to the public at DEF CON 26. This allowed HP to have public patches available a few days ahead of the public disclosure of the PoC. HP provides a support page to determine if your printers need to be updated.

Impact assessment

While faxes may seem outdated, they’re still widely used -- and in some cases are required -- by schools, government offices, medical facilities and manufacturing industries. A Shodan search for internet-facing HP printers in the affected families showed more than 50,000 printers worldwide. Google also shows approximately 300 million indexed fax numbers. All-in-one Printer/Fax machines have replaced a lot of older standalone faxes for many businesses, so it can be assumed a fair number of those indexed numbers belong to all-in-one printers.

We haven’t seen this attack attempted publicly yet. However, other researchers and malicious actors are likely to build their own exploit code now that this PoC has been publicly disclosed. An attacker would need to know the model of printer they’re exploiting and the office fax number, or they could go Faxploit fishing with just the listed fax numbers hoping to get a hit. A Shodan search will show any of the affected printers connected to the web. Attackers could cross reference this data with other public information to match up the printer with relevant fax numbers.

An attacker could utilize the foothold created by this exploit in order to further infect other devices in the target environment. While this exploit is likely too complicated for widespread attacks, it could be an ideal vector for targeted attacks.

Urgently required actions

If your business uses an an all-in-one fax/printer, we recommend updating the firmware to the latest version provided by the manufacturer. At the time of this writing, HP is the only vendor with a patch for this specific exploit. We recommend checking with printer vendor support channels to see if they’ve responded as well.

Below is a list of plugins Tenable has released to detect if the HP printers in your network are vulnerable. Tenable will continue to monitor the situation and provide updated protection as vendors provide updates.

Tenable Plugins

Plugin ID

Name

Description

111666

hp_printers_HPSBHF03589.nasl

The firmware version running on the remote host is vulnerable to multiple vulnerabilities. An unauthenticated remote attacker could gain system-level unauthorized access to the affected device.

111667

hp_www_detect.nbin

The remote host has been identified as using an HP embedded web server.

Learn more:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.