16-Year-Old HP Printer-Driver Bug Impacts Millions of Windows Machines

The bug could allow cyberattackers to bypass security products, tamper with data and run code in kernel mode.

Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines.

If exploited, cyberattackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights.

The bug (CVE-2021-3438) has lurked in systems for 16 years, researchers at SentinelOne said, but was only uncovered this year. It carries an 8.8 out of 10 rating on the CVSS scale, making it high-severity.

According to researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific input/output operations.

“This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user,” according to SentinelOne’s analysis, released on Tuesday. “Essentially, this allows attackers to overrun the buffer used by the driver.”

Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, according to the firm.

The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, since printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every startup.

“Thus, in effect, this driver gets installed and loaded without even asking or notifying the user,” explained the researchers. “Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected.”

Weaponizing the bug might require chaining other vulnerabilities to achieve initial access into an environment. So far, no in-the-wild attacks have been observed.

“While we haven’t seen any indicators that this vulnerability has been exploited in the wild up till now, with hundreds of millions of enterprises and users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,” researchers warned.

How to Fix the HP Printer-Driver Bug

Since the bug has existed since 2005, it impacts a very long list of printer models, researchers noted; affected models and associated patches can be found here and here.

Device-driver vulnerabilities are not uncommon, so SentinelOne also suggested reducing the attack surface with some best practices, including enforcing strong access control lists (ACLs), which control access to packages, folders, and other elements (such as services, document types and specifications) at the group level. And, it’s a good idea to verify user input and not expose a generic interface to kernel mode operations, they added.

“While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing,” according to SentinelOne. “This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks.”

Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, researchers warned, since it comes with Microsoft Windows via Windows Update.

“This high-severity vulnerability affects hundreds of millions of devices and millions of users worldwide,” according to SentinelOne. “The impact this could have on users and enterprises that fail to patch is far-reaching and significant.”

SentinelOne has found previous vulnerabilities such as a group affecting Dell’s firmware update driver that remained hidden for 12 years. In that case, revealed in May, five high-severity security flaws in were found to impact potentially hundreds of millions of Dell desktops, laptops, notebooks and tablets. They could allow the ability to bypass security products, execute code and pivot to other parts of the network for lateral movement, according to SentinelLabs.

Check out our free upcoming live and on-demand webinar events – unique, dynamic discussions with cybersecurity experts and the Threatpost community.

 

Suggested articles

Discussion

  • Jonathan on

    Hi, Threatpost Team- One of the hyperlinks above does not provide a path to an affected model list, but links to the HP driver and software search page. Its the first hyperlink provided in the first paragraph under "How to fix the driver bug". Is it possible to correct this link? Or provide a document released by HP that lists all their affected printers?
    • Tara Seals on

      Thanks Jonathan! So, you can choose your printer from the list, click on that, and then it will take you to a page where you can download the latest software release, which should fix the problem.
  • Gary on

    But back to Jonathan's comment... this isn't a list of affected devices... it's just a list of everything HP makes. So are all printers affected? or did we just get pointed to a generic driver page instead of the "printers that actually need a new driver to prevent this attack" page?
  • Justin on

    Do I have to uninstall my printer driver for my HP Laserjet MFP M225, and then reinstall the updated printer driver install package downloaded from HP website?
  • Disasterferret on

    One assumes you don't have to worry about this on machines where print spooler has been recently disabled (because the machine doesn't need to print) but could be remotely accessible if the printer is being shared to the local network by the machine? . Always a little unclear on whether it's a "person has to be at the keyboard" attack.
  • Jerry on

    Here's the link to the listing of affected devices and the fix: https://support.hp.com/us-en/document/ish_3900395-3833905-16/hpsbpi03724
  • David on

    Seems like there's a typo, NVD has the score as a 7.8, not 8.8 [External link redacted]
  • Chris Pugson on

    My HP LaserJet 1100 driver dates from 2002. This predates the apparent earliest vulnerable drivers which are said to be 2005 and later. Is this correct? There is no information to confirm that the HP LaserJet 1100 driver is immune.
  • Chris Pugson on

    Uh oh! The driver was issued by Microsoft. Microsoft - Printer - 6/22/2006 12:00:00 AM - 6.1.7233.1
  • Steve on

    Really - you are enquiring about a driver that is from 2002! If you are interested in security I suggest you purchase a new device!

Leave A Comment

 

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.