Finding HP printers and MFPs vulnerable to Printing Shellz
Do you have HP printers and multi-function printers (MFPs)? You might want to look at the two recently published vulnerabilities that affect 150+ models. Named “Printing Shellz” by the F-Secure security researchers who reported them, these vulns have been around for ~8 years.
When successfully exploited, can provide attackers with:
- CVE-2021-39237, “medium” CVSS score of 4.6 - Information disclosure via exposed connectors to gain shell access (requires physical access to the vulnerable device).
- CVE-2021-39238, “critical” CVSS score of 9.8 - Remote code execution via buffer overflow in the font parsing logic.
HP LaserJet, PageWide, OfficeJet, and ScanJet product lines all contain vulnerable models. You can find the full lists in HP’s posted advisories: CVE-2021-39237 and CVE-2021-39238.
HP released patched firmware last month and urged owners of affected printers to update their firmware as soon as possible. F-Secure’s researchers also offer some mitigation strategies, as well in section 6 of their writeup.
How to find vulnerable HP printers and MFPs with runZero
From the Asset Inventory, use the following pre-built query to locate potentially vulnerable HP printer and MFP assets within your network:
NOT hardware:"JetDirect" AND (mac_vendor:"HP" OR mac_vendor:="Hewlett Packard%" OR hardware:"HP%" OR hardware:="Hewlett Packard%") AND (type:printer OR os.family:"LaserJet" OR NOT (os:"%iLO%" OR type:switch OR type:computer))
You can also search via the Service Inventory, using the following pre-built query to locate potentially HP printer and MFP services within your network:
_asset.protocol:http AND protocol:http AND ((html.title:="HP %LaserJet%" OR banner:="HP %LaserJet%") OR (html.title:="HP %PageWide%" OR banner:="HP %PageWide%") OR (html.title:="HP %OfficeJet%" OR banner:="HP %OfficeJet%") OR (html.title:="HP %ScanJet%" OR banner:="HP %ScanJet%"))
Note that results from the above queries may contain models that are not vulnerable, so manual verification against the full lists of affected models published by HP (here and here) is needed.
As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.
Similar Content
September 30, 2022
Finding Microsoft Exchange Servers on your network
GTSC, a Vietnamese security firm, recently discovered two zero-day vulnerabilities that affect Microsoft Exchange Server 2013, 2016, and 2019. These two vulnerabilities are being tracked as CVE-2022-41040 and CVE-2022-41082.
August 4, 2022
Finding DrayTek Vigor routers
The Trellix Threat Labs Vulnerability Research team recently published vulnerability details affecting almost 30 models of DrayTek Vigor routers. This vulnerability resides in the management interface login page and is trivial to exploit via buffer overflow. An …
Read MoreJuly 29, 2022
Hunting for X.509 Certificates
X.509 certificates are used to secure communications over both trusted and untrusted networks. Protocols such as Transport Layer Security (TLS) rely on X.509 certificates to keep their communications secure between endpoints. Each X.509 certificate is composed of a public …
Read More