HP to Patch Bug Impacting 50 Enterprise Printer Models

HP said dozens of enterprise-class printer models will receive a patch for an arbitrary code execution vulnerability sometime this week.

UPDATE

HP Inc. said it has released firmware patches for dozens of enterprise-class printer models affected by an arbitrary code execution bug.

According to a security bulletin posted by HP, the vulnerability (CVE-2017-2750) is tied to “insufficient solution DLL signature validation” allowing for potential execution of arbitrary code on affected printer models. The bug is rated 8.1 in severity on the Common Vulnerability Scoring System scale. HP said patches in the form of firmware updates are available now.

HP is aware of the issue published by a researcher and have an immediate fix available in our security bulletin at HP.com. Updated systems are not exposed to these vulnerabilities and customers are encouraged to deploy the fix,” according to HP in a statement to Threatpost.  Earlier in the week HP had promised a patch would come by the end of the week.   

Impacted are 54 printer models ranging from HP’s LaserJet Enterprise printers, HP PageWide Enterprise printers and OfficeJet Enterprise printers.

Researchers at FoxGlove Security are credited for identifying the vulnerability. Researchers first found the flaw in HP’s PageWide Enterprise Color MFP 586 and the HP Color LaserJet Enterprise M553. According to a technical write-up by FoxGlove posted on Monday, HP was notified of the vulnerability in August and both planned the coordinated public disclosure of the bug this week.

Researchers said they were able to execute code on affected printers by reverse engineering files with the “.BDL” extension used in HP Solutions and firmware updates.

“This (.BDL) is a proprietary binary format with no publicly available documentation. We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of,” researchers wrote.

Researchers then figured out how to manipulate a ZIP file in the .BDL bundle with malicious code. The only snag was the ZIP generated DLL signature validation errors. To bypass these errors researchers needed to reverse engineering firmware signature validations associated with the BDL files.

“We re-implemented a near exact copy of the algorithm performing signature validation on the printer in C# on our laptop. Then, this program was run in the Visual Studio debugger with a valid DLL file signed by HP as input,” researchers wrote.

Next, the researchers used their own HP software “Solution” package with its bypass digital signature validation mechanism and added a malware payload.

“After performing the signature validation process outlined in the previous section on the new DLL file, and then loading that DLL into the BDL using the python code from our GitHub repository, the modified BDL file was uploaded to the printer successfully,” researchers said.

From there researchers said a “blar” file contained in the BDL bundle instructed the printer to ping a server controlled by third-party. “Success of this command could be confirmed by monitoring the second server. Immediately after hosting the file on the HTTP server, we saw the printer make the request for the file,” researchers said.

The requested file, researchers said, was specially crafted malware.

“If an attacker could run malware on a printer, it would provide a safe haven in the network where they are unlikely to be discovered in addition to unfettered access to print jobs,” researchers noted.

HP said actions outlined to mitigate against the vulnerability “should be acted upon as soon as possible.” That includes searching for updates of specific models on HP’s Support site.

Foxglove posted its malicious code to GitHub.

(This article was updated at 3:45 pm ET 11/22/17 to reflect a statement by HP Inc. the patches are now available.)

Suggested articles

Hardcoded Password Enables Remote Attacks on Samsung Printers

Password woes apparently aren’t limited to endpoints. US-CERT issued an advisory Tuesday warning users of Samsung printers, including some Dell printers manufactured by Samsung, that a hardcoded password could enable remote code execution.“Samsung printers contain a hardcoded SNMP full read-write community string that remains active even when SNMP is disabled in the printer management utility,” the CERT advisory said.

Discussion

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.