150 Models of HP Printer Vulnerable to Attacks

HP’s vulnerabilities in over 150 multi-function printers show that each device that connects to a network might increase the perceived threat surface. Two vulnerabilities in Multi-Function Printers (MFPs) were uncovered by security experts, affecting 150 product types. 

Timo Hirvonen and Alexander Bolshev of F-Secure have prepared a thorough study, Printing Shellz, detailing their results. The discovered vulnerabilities were two exposed physical access port vulnerabilities (CVE-2021-39237) and two different font parsing vulnerabilities (CVE-2021-39238).

It was discovered that a networked HP MFP M725z printer from 2013 that is still supported had firmware from the same year. An attacker with physical access to the printer would be able “to dump and tamper with all data that is stored on the system and user partitions of the device,” according to the researchers. Furthermore, the experts also believe that the vulnerabilities may allow attackers to utilize the hacked MFP as an entry point into the corporate network.