Faxsploit Allows Remote Code Execution Through HP All-in-One Printers

Ryan Seguin

A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.

Background

Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.

Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access to the printer’s operating system. From there, they were able to check if the printer was connected to a local area network (LAN), and use EternalBlue and Double Pulsar attacks to take control of a separate device on the network.

Vulnerability details

In its report, Checkpoint says it believes this is the first publicly documented example of the EternalBlue and Double Pulsar exploits being used to launch attacks via a printer. EternalBlue is a publicly available module that exploits a remote code execution bug in SMBv1. Double Pulsar is a kernel-level malware usually delivered through the EternalBlue exploit, allowing an attacker to load malware onto the target. Checkpoint used these tools via the fax line on the target printer to infect a separate device on the same network.

At the time of this writing, the PoC only covers HP printers, but the researchers at Checkpoint seemed confident other manufacturers could be similarly exploited.

This video from Checkpoint shows the PoC in action.

Checkpoint worked closely with HP to get these vulnerabilities fixed and patched before disclosing their research to the public at DEF CON 26. This allowed HP to have public patches available a few days ahead of the public disclosure of the PoC. HP provides a support page to determine if your printers need to be updated.

Impact assessment

While faxes may seem outdated, they’re still widely used -- and in some cases are required -- by schools, government offices, medical facilities and manufacturing industries. A Shodan search for internet-facing HP printers in the affected families showed more than 50,000 printers worldwide. Google also shows approximately 300 million indexed fax numbers. All-in-one Printer/Fax machines have replaced a lot of older standalone faxes for many businesses, so it can be assumed a fair number of those indexed numbers belong to all-in-one printers.

We haven’t seen this attack attempted publicly yet. However, other researchers and malicious actors are likely to build their own exploit code now that this PoC has been publicly disclosed. An attacker would need to know the model of printer they’re exploiting and the office fax number, or they could go Faxploit fishing with just the listed fax numbers hoping to get a hit. A Shodan search will show any of the affected printers connected to the web. Attackers could cross reference this data with other public information to match up the printer with relevant fax numbers.

An attacker could utilize the foothold created by this exploit in order to further infect other devices in the target environment. While this exploit is likely too complicated for widespread attacks, it could be an ideal vector for targeted attacks.

Urgently required actions

If your business uses an an all-in-one fax/printer, we recommend updating the firmware to the latest version provided by the manufacturer. At the time of this writing, HP is the only vendor with a patch for this specific exploit. We recommend checking with printer vendor support channels to see if they’ve responded as well.

Below is a list of plugins Tenable has released to detect if the HP printers in your network are vulnerable. Tenable will continue to monitor the situation and provide updated protection as vendors provide updates.

Tenable Plugins

Plugin ID

Name

Description

111666

hp_printers_HPSBHF03589.nasl

The firmware version running on the remote host is vulnerable to multiple vulnerabilities. An unauthenticated remote attacker could gain system-level unauthorized access to the affected device.

111667

hp_www_detect.nbin

The remote host has been identified as using an HP embedded web server.

Learn more:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Read more >

Published on Aug 14, 2018

People also viewed

Channel Sales Engineer

Santiago Santiago Chile Santiago, Chile Sales Engineering Sales
Your Role:The Channel Sales Engineer will support and will be working with production, engineering, and research and development, as well as external sales firms to determine how Tenable products and services could be designed or modified to best ...

Engineering Manager - UI

Los Angeles California United States West Jefferson Boulevard, Playa Vista, Los Angeles, California, United States, 90066 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

San Jose California United States E Santa Clara St., San Jose, California, United States, 95113 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Engineering Manager - UI

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Cloud Platforms Research & Development
Your Role:Tenable is looking for an experienced UI Engineering manager, who would be responsible for leading a team of world class engineers.  This person would be expected to help grow and mentor experience engineers. Background in working with m...

Commercial Territory Manager

Columbia Maryland United States Columbia Gateway Drive, Columbia, Maryland, United States, 20146 Sales Sales
Your Role:The Commercial Territory Manager will meet and exceed quarterly sales quota by developing new opportunities within specific geographical territory.  Researching and identifying potential accounts; outbound cold calling to soliciting new ...

Recruiter - UK

Uxbridge United Kingdom Furzeground Way , Stockley Park, Uxbridge, United Kingdom, UB11 1EZ Human Resources Human Resources
Your Role:Tenable is seeking a talented Recruiter who will source, screen and ultimately close exceptional sales, marketing and professional services talent. You’ll partner with Tenable’s Sales leadership to create and maintain a talent pipeline, ...

We have big plans for continued global growth, and we’re looking for people who are creative, flexible and dedicated to helping us build something great – something that matters.