HP Patches High-Risk Vulnerability in Business Printers

HP released security firmware updates this week for dozens of printers, including enterprise models, to fix a high-risk vulnerability that could allow attackers to compromise the devices.

The vulnerability, tracked as CVE-2017-2750, stems from a failure to properly validate DLL signatures and can be exploited to execute arbitrary code on the operating system of 54 HP printers. The flaw is rated 8.1 out of 10 on the Common Vulnerability Scoring System (CVSS), which corresponds to a high severity level.

The issue was found by researchers from Foxglove Security while investigating the HP PageWide Enterprise Color MFP 586 and the HP Color LaserJet Enterprise M553. However, according to HP’s security bulletin, many other enterprise printer models are also affected.

The Foxglove researchers decided to look at the security of HP printers after seeing a marketing video created by the company that hinted its devices are more secure than printers from other manufacturers. The company has indeed added security features to some of its printers in recent years, including BIOS verification, firmware signature validation and run-time intrusion detection.

The researchers started by analyzing the proprietary BDL (FutureSmart) binary format used by HP firmware updates and third-party applications for HP printers called “Solutions.” The researchers managed to extract a ZIP archive from a BDL file and then replaced the original file with an archive that had the same name, length and CRC-32 checksum, but had different contents.

The file was successfully loaded by HP’s solutions installer. However, to achieve code execution the researchers needed to replace an executable file that would be loaded to the system. When they attempted to do this with a DLL file, the installation failed because the firmware checked the file’s digital signature. This sent the researchers hunting for implementation flaws in HP’s DLL signature validation algorithm and they eventually found an issue that allowed them to bypass the security mechanism. That’s the bug that became CVE-2017-2750 and subsequently patched by HP.

“With a method to construct our own HP software ‘Solution’ packages, and another to bypass their digital signature validation mechanism, the only remaining hurdle was to build a piece of malware compatible with HP’s platform,” the researchers said in a technical analysis.

This was achieved relatively easily by modifying a legitimate file, HP.ExtLib.dll, to include a malicious function. The code to create the malware was released on GitHub. This makes applying HP’s patches urgent because a proof-of-concept exploit is now publicly available.

“There exist a number of methods for updating the firmware of HP printers,” the researchers said. “Most administrators would be aware that firmware updates can be installed through the printer’s web interface and through the ‘Web Jet Admin’ client. Firmware can also be installed at boot time through BOOTP/TFTP options, although after some testing we were not able to find the right set of options to make this work. Additionally, the security settings page on the HP printers implies that firmware can be installed through a print job over port 9100.”

The researchers also found evidence that a “Manufacturing Config Package” could be installed on an HP printer. This places the system in “Development” mode which permits the installation of unsigned firmware updates. However, such a package could not be located and the exact method in which it has to be installed is unclear.

Credentials Leaked in Source Code Repository Led to Uber Mega Hack

Uber announced Tuesday that it suffered a major security breach in October 2016 in which hackers gained access to names, email addresses and phone numbers of 50 million customers and the personal information of around 7 million drivers. The hackers broke in by taking advantage of a common security oversight: storing sensitive access credentials in source code repositories.

Two attackers accessed a private GitHub repository used by Uber software engineers and found login credentials for the company’s storage servers on Amazon Web Services (AWS), Bloomberg reported. On those servers, the hackers found an archive containing information on Uber riders and drivers.

Over the years researchers found thousands of AWS access keys and other credentials stored in publicly available source code. A few years ago the problem got so bad that GitHub began to actively scan for such leaks and notify repository owners. People even built free tools that can automatically find all sorts of hard-coded credentials, API tokens and other keys in source code repositories.

“Github is a major source of risk for companies,” said Jeremiah Grossman, chief of security strategy at SentinelOne. “It’s difficult, if not impossible, for an organization to lock down this vector. Developers accidentally, and often unknowingly, share credentials over GitHub all the time where they become exposed.”

“While traditional security controls remain crucial to organizational security, it’s no good if individuals with access to private information expose their account credentials in a place where they can be obtained and misused by others,” Grossman said.

Sponsored Content
Upcoming Webinar
Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

Not All Flaws Are Created Equal: The Difference Between a Flaw, a Vulnerability and an Exploit

According to Gartner, the application layer contains 90% of all vulnerabilities. However, do security experts and developers know what’s happening underneath the application layer? Organizations are aware they cannot afford to let potential system flaws or weaknesses in applications be exploited, but knowing the distinctions between these weaknesses can make ... Read More
May 29, 2018

Lucian Constantin

Lucian has been covering computer security and the hacker culture for almost a decade, his work appearing in many technology publications including PCWorld, Computerworld, Network World, CIO, CSO, Forbes and The Inquirer. He has a bachelor's degree in political science, but has been passionate about computers and cybersecurity from an early age. Before he chose a career in journalism, Lucian worked as a system and network administrator. He enjoys attending security conferences and delving into interesting research papers. You can reach him at lucian@constantinsecurity.com or @lconstantin on Twitter. For encrypted email, his PGP key's fingerprint is: 7A66 4901 5CDA 844E 8C6D 04D5 2BB4 6332 FC52 6D42

lucian-constantin has 154 posts and counting.See all posts by lucian-constantin