Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

Faxsploit Allows Remote Code Execution Through HP All-in-One Printers

A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.

Background

Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.

Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access to the printer’s operating system. From there, they were able to check if the printer was connected to a local area network (LAN), and use EternalBlue and Double Pulsar attacks to take control of a separate device on the network.

Vulnerability details

In its report, Checkpoint says it believes this is the first publicly documented example of the EternalBlue and Double Pulsar exploits being used to launch attacks via a printer. EternalBlue is a publicly available module that exploits a remote code execution bug in SMBv1. Double Pulsar is a kernel-level malware usually delivered through the EternalBlue exploit, allowing an attacker to load malware onto the target. Checkpoint used these tools via the fax line on the target printer to infect a separate device on the same network.

At the time of this writing, the PoC only covers HP printers, but the researchers at Checkpoint seemed confident other manufacturers could be similarly exploited.

This video from Checkpoint shows the PoC in action.

Checkpoint worked closely with HP to get these vulnerabilities fixed and patched before disclosing their research to the public at DEF CON 26. This allowed HP to have public patches available a few days ahead of the public disclosure of the PoC. HP provides a support page to determine if your printers need to be updated.

Impact assessment

While faxes may seem outdated, they’re still widely used -- and in some cases are required -- by schools, government offices, medical facilities and manufacturing industries. A Shodan search for internet-facing HP printers in the affected families showed more than 50,000 printers worldwide. Google also shows approximately 300 million indexed fax numbers. All-in-one Printer/Fax machines have replaced a lot of older standalone faxes for many businesses, so it can be assumed a fair number of those indexed numbers belong to all-in-one printers.

We haven’t seen this attack attempted publicly yet. However, other researchers and malicious actors are likely to build their own exploit code now that this PoC has been publicly disclosed. An attacker would need to know the model of printer they’re exploiting and the office fax number, or they could go Faxploit fishing with just the listed fax numbers hoping to get a hit. A Shodan search will show any of the affected printers connected to the web. Attackers could cross reference this data with other public information to match up the printer with relevant fax numbers.

An attacker could utilize the foothold created by this exploit in order to further infect other devices in the target environment. While this exploit is likely too complicated for widespread attacks, it could be an ideal vector for targeted attacks.

Urgently required actions

If your business uses an an all-in-one fax/printer, we recommend updating the firmware to the latest version provided by the manufacturer. At the time of this writing, HP is the only vendor with a patch for this specific exploit. We recommend checking with printer vendor support channels to see if they’ve responded as well.

Below is a list of plugins Tenable has released to detect if the HP printers in your network are vulnerable. Tenable will continue to monitor the situation and provide updated protection as vendors provide updates.

Tenable Plugins

Plugin ID

Name

Description

111666

hp_printers_HPSBHF03589.nasl

The firmware version running on the remote host is vulnerable to multiple vulnerabilities. An unauthenticated remote attacker could gain system-level unauthorized access to the affected device.

111667

hp_www_detect.nbin

The remote host has been identified as using an HP embedded web server.

Learn more:

Learn more about Tenable.io, the first Cyber Exposure platform for holistic management of your modern attack surface. Get a free 60-day trial of Tenable.io Vulnerability Management.

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training