Faxsploit Allows Remote Code Execution Through HP All-in-One Printers

save
Share and earn Cybytes
Facebook Twitter LinkedIn Email

A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.

Background

Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.

Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access to the printer’s operating system. From there, they were able to check if the printer was connected to a local area network (LAN), and use EternalBlue and Double Pulsar attacks to take control of a separate device on the network.

Vulnerability details

In its report, Checkpoint says it believes this is the first publicly documented example of the EternalBlue and Double Pulsar exploits being used to launch attacks via a printer. EternalBlue is a publicly available module that exploits a remote code execution bug in SMBv1. Double Pulsar is a kernel-level malware usually delivered through the EternalBlue exploit, allowing an attacker to load malware onto the target. Checkpoint used these tools via the fax line on the target printer to infect a separate device on the same network.

At the time of this writing, the PoC only covers HP printers, but the researchers at Checkpoint seemed confident other manufacturers could be similarly exploited.

This video from Checkpoint shows the PoC in action.

Checkpoint worked closely with HP to get these vulnerabilities fixed and patched before disclosing their research to the public at DEF CON 26. This allowed HP to have public patches available a few days ahead of the public disclosure of the PoC. HP provides a support page to determine if your printers need to be updated.

Impact assessment

While faxes may seem outdated, they’re still widely used — and in some cases are required — by schools, government offices, medical facilities and manufacturing industries. A Shodan search for internet-facing HP printers in the affected families showed more than 50,000 printers worldwide. Google also shows approximately 300 million indexed fax numbers. All-in-one Printer/Fax machines have replaced a lot of older standalone faxes for many businesses, so it can be assumed a fair number of those indexed numbers belong to all-in-one printers.

We haven’t seen this attack attempted publicly yet. However, other researchers and malicious actors are likely to build their own exploit code now that this PoC has been publicly disclosed. An attacker would need to know the model of printer they’re exploiting and the office fax number, or they could go Faxploit fishing with just the listed fax numbers hoping to get a hit. A Shodan search will show any of the affected printers connected to the web. Attackers could cross reference this data with other public information to match up the printer with relevant fax numbers.

An attacker could utilize the foothold created by this exploit in order to further infect other devices in the target environment. While this exploit is likely too complicated for widespread attacks, it could be an ideal vector for targeted attacks.

Urgently required actions

If your business uses an an all-in-one fax/printer, we recommend updating the firmware to the latest version provided by the manufacturer. At the time of this writing, HP is the only vendor with a patch for this specific exploit. We recommend checking with printer vendor support channels to see if they’ve responded as well.

Below is a list of plugins Tenable has released to detect if the HP printers in your network are vulnerable. Tenable will continue to monitor the situation and provide updated protection as vendors provide updates.

Tenable Plugins

Plugin ID

Name

Description

111666

hp_printers_HPSBHF03589.nasl

The firmware version running on the remote host is vulnerable to multiple vulnerabilities. An unauthenticated remote attacker could gain system-level unauthorized access to the affected device.

111667

hp_www_detect.nbin

The remote host has been identified as using an HP embedded web server.

Learn more:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Share this post and earn Cybytes
Facebook Twitter LinkedIn Email
Follow
1612 Followers
About Tenable
Tenable™, Inc. is the Cyber Exposure company. Over 24,000 organizations of all sizes around the globe rely on Tenable to manage and measure their modern attack surface to accurately understand and reduce cyber risk. As the creator of Nessus®, Tenable built its platform from the ground up to deeply understand assets, networks and vulnerabilities, extending this knowledge and expertise into Tenable.io™ to deliver the world’s first platform to provide live visibility into any asset on any computing platform. Tenable customers include over 50 percent of the Fortune 500, large government agencies and organizations across the private and public sectors. Learn more at tenable.com.
Promoted Content
Five Steps to Building a Successful Vulnerability Management Program
Is your vulnerability management program struggling? Despite proven technology solutions and the best efforts of IT teams, unresolved vulnerabilities remain an ongoing source of friction and frustration in many organizations. Regardless of how many vulnerabilities are fixed, there will always be vulnerabilities that can’t easily be remediated – and too often, finger-pointing between IT teams and business groups can ensue.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Support Cybrary

Donate Here to Get This Month's Donor Badge

 

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel