UPDATE
HP Inc. said it has released firmware patches for dozens of enterprise-class printer models affected by an arbitrary code execution bug.
According to a security bulletin posted by HP, the vulnerability (CVE-2017-2750) is tied to “insufficient solution DLL signature validation” allowing for potential execution of arbitrary code on affected printer models. The bug is rated 8.1 in severity on the Common Vulnerability Scoring System scale. HP said patches in the form of firmware updates are available now.
“HP is aware of the issue published by a researcher and have an immediate fix available in our security bulletin at HP.com. Updated systems are not exposed to these vulnerabilities and customers are encouraged to deploy the fix,” according to HP in a statement to Threatpost. Earlier in the week HP had promised a patch would come by the end of the week.
Impacted are 54 printer models ranging from HP’s LaserJet Enterprise printers, HP PageWide Enterprise printers and OfficeJet Enterprise printers.
Researchers at FoxGlove Security are credited for identifying the vulnerability. Researchers first found the flaw in HP’s PageWide Enterprise Color MFP 586 and the HP Color LaserJet Enterprise M553. According to a technical write-up by FoxGlove posted on Monday, HP was notified of the vulnerability in August and both planned the coordinated public disclosure of the bug this week.
Researchers said they were able to execute code on affected printers by reverse engineering files with the “.BDL” extension used in HP Solutions and firmware updates.
“This (.BDL) is a proprietary binary format with no publicly available documentation. We decided that reverse engineering this file format would be beneficial, as it would allow us to gain insight into exactly what firmware updates and software solutions are composed of,” researchers wrote.
Researchers then figured out how to manipulate a ZIP file in the .BDL bundle with malicious code. The only snag was the ZIP generated DLL signature validation errors. To bypass these errors researchers needed to reverse engineering firmware signature validations associated with the BDL files.
“We re-implemented a near exact copy of the algorithm performing signature validation on the printer in C# on our laptop. Then, this program was run in the Visual Studio debugger with a valid DLL file signed by HP as input,” researchers wrote.
Next, the researchers used their own HP software “Solution” package with its bypass digital signature validation mechanism and added a malware payload.
“After performing the signature validation process outlined in the previous section on the new DLL file, and then loading that DLL into the BDL using the python code from our GitHub repository, the modified BDL file was uploaded to the printer successfully,” researchers said.
From there researchers said a “blar” file contained in the BDL bundle instructed the printer to ping a server controlled by third-party. “Success of this command could be confirmed by monitoring the second server. Immediately after hosting the file on the HTTP server, we saw the printer make the request for the file,” researchers said.
The requested file, researchers said, was specially crafted malware.
“If an attacker could run malware on a printer, it would provide a safe haven in the network where they are unlikely to be discovered in addition to unfettered access to print jobs,” researchers noted.
HP said actions outlined to mitigate against the vulnerability “should be acted upon as soon as possible.” That includes searching for updates of specific models on HP’s Support site.
Foxglove posted its malicious code to GitHub.
(This article was updated at 3:45 pm ET 11/22/17 to reflect a statement by HP Inc. the patches are now available.)
