A high severity privilege escalation vulnerability has been identified in HP printer drivers, which are also used by Samsung and Xerox. Exploitation of the flaw would allow an attacker to bypass security products, gain admin privileges, install programs, create new accounts with elevated user permissions, and view, edit, encrypt, or delete data.
According to a recently published report from SentinelOne, the flaw has been present in the printer drivers since 2005 and affects hundreds of millions of Windows machines worldwide. The vulnerability, tracked as CVE-2021-3438, is a buffer overflow issue in the SSPORT.SYS driver, which is used by specific printer models and is automatically installed with the printer software. The driver also comes with Microsoft Windows Update, so may have been installed without running a dedicated installation file.
Exploitation of the flaw could result in local escalation of user privileges and a printer does not need to be connected to a Windows machine for the flaw to be exploited. The potential for exploiting the flaw is somewhat limited, as an attacker would need local access to exploit the flaw. The flaw could therefore only be exploited by a remote attacker who has already compromised a targeted device. Should an attacker gain access to a vulnerable device, even with basic user privileges they could exploit the flaw and elevate their privileges to admin level and execute arbitrary code in kernel mode. The vulnerability has been assigned a CVSS v3 base score of 8.8 out of 10.
Patches have been released for the affected printer models. While there are no known exploits of the flaw in the wild, the sheer number of vulnerable devices will make this an attractive vulnerability for cybercriminals. Prompt patching is therefore strongly recommended.
Details of all HP and Samsung printer models that have the vulnerability and links for the patch to correct the flaw can be found in HP’s security advisory. Xerox says the following models are affected: Xerox B205/ B210/B215; Phaser 3020/3052/3260/3320; WorkCentre 3025/3215/3225/3315/3325. The Xerox patch is available on this link.
It is worth noting that currently the certificate has not been revolved, which means that an attacker could install a vulnerable driver once access to a device is gained.
It is far from uncommon for vulnerabilities to be identified in printer drivers, so it is advisable to adhere to cybersecurity best practices to limit the potential for vulnerabilities to be exploited. SentinelOne recommends enforcing strong access control lists (ACLs) at the group level, verifying user input, and to ensure that a generic interface is not exposed to kernel mode operations.