HP has patched a severe vulnerability that has been hidden in a printer driver for 16 years.
On Tuesday, SentinelLabs published an analysis of the vulnerability, tracked as CVE-2021-3438 and issued a CVSS score of 8.8.
The security issue is described as a “potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.”
According to the researchers, some HP, Xerox, and Samsung printer models contained vulnerable driver software, sold worldwide since 2005.
The driver in question, SSPORT.SYS, is automatically installed and activated, whether the model was wireless or cabled. The driver is also loaded automatically by Microsoft’s Windows operating system on PC boot.
“This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected,” the researchers say.
The vulnerable function in the driver is the acceptance of data without size parameter validation, allowing attackers to overrun the driver’s buffer theoretically.
Local attackers could escalate their privileges to a SYSTEM account and run code in kernel mode in order to perform actions including tampering with a target machine. However, SentinelLabs says that the time was not invested in finding a way to weaponize it alone, and a successful exploit may need a chain of vulnerabilities.
SentinelLabs researcher Kasif Dekel reported the vulnerability to HP on February 18. The vendor issued a patch to resolve the security flaw on May 19. No exploits in the wild have been detected.
HP said impacted models include the HP LaserJet, Samsung CLP, Samsung MultiXpress, and Samsung Xpress series in a security advisory.
The vendor has provided a patch and is asking customers to update their software. To do so, customers can visit the HP software portal, select their printer model, and apply the update.
Xerox has provided a separate security advisory (.PDF) naming Xerox B205/B210/B215, Phaser, and WorkCentre models as impacted by the bug.
Previous and related coverage
Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0
