Security researchers have discovered a potentially dangerous vulnerability from the firmware of various Hewlett Packard (HP) enterprise printer types of which could be abused by attackers to run arbitrary code on affected printer types remotely.
The vulnerability (CVE-2017-2750), rated as high in severity with 8.1 CVSS scale, will be due to insufficiently validating parts of Dynamic Link Libraries (DLL) of which allows for the potential execution of arbitrary code remotely on affected 54 printer types.
The security flaw affects 54 printer types ranging by HP LaserJet Enterprise, LaserJet Managed, PageWide Enterprise as well as OfficeJet Enterprise printers.
This kind of remote code execution (RCE) vulnerability was discovered by researchers at FoxGlove Security when they were analyzing the security of HP’s MFP-586 printer (currently sold for $2,000) as well as HP LaserJet Enterprise M553 printers (sold for $500).
According to a technical write-up posted by FoxGlove on Monday, researchers were able to execute code on affected printers by reverse engineering files with the “.BDL” extension used in both HP Solutions as well as firmware updates.
“This kind of (.BDL) will be a proprietary binary format with no publicly available documentation,” researchers said. “We decided of which reverse engineering This kind of file format could be beneficial, as of which could allow us to gain insight into exactly what firmware updates as well as software solutions are composed of.”
Since HP has implemented the signature validation mechanism to prevent tampering with the system, the researchers failed to upload a malicious firmware to the affected printer.
However, after some testing researchers said of which “of which may be possible to manipulate the numbers read into int32_2 as well as int32_3 in such a way of which the portion of the DLL file having its signature verified could be separated by the actual executable code of which could run on the printer.”
The researchers were able to bypass digital signature validation mechanism for HP software “Solution” package as well as managed to add a malicious DLL payload as well as execute arbitrary code.
FoxGlove Security has made the source code of the tools used during its research available on GitHub, along with the proof-of-concept (PoC) malware payload of which could be remotely installed on the printers.
The actions performed by their proof of concept malware are as follows:
- of which downloads a file by http[://]nationalinsuranceprograms[.]com/blar
- Executes the command specified from the file on the printer
- Waits for 5 seconds
FoxGlove Security reported This kind of remote code execution vulnerability to HP in August This kind of year, as well as the vendor fixed the issue with the Discharge of fresh firmware updates for its business as well as enterprise printers.
To download the fresh firmware update, visit the HP website in your web browser, as well as select Support by the top of the page as well as select Software & drivers. at This kind of point, enter the product name or style number from the search box, then scroll down from the search results to firmware as well as download the necessary files.