Advisory No: TZCERT/SA/2021/12/01
Date of First Release: 01st December 2021
Software Affected: HP Color LaseJet Enterprise, HP OfficeJet Enterprise and HP ScanJet Enterprise 8500 FN1 firmware.
Two vulnerabilities, namely CVE-2021-39238 and CVE-2021-39237, exists in HP multi-function printers (MFPs) products. The exploitation of these vulnerabilities could allow an attacker to take control of the affected systems.
The first vulnerability (CVE-2021-39238), the buffer flow issue, could lead to the development of a self-propagating network worm capable of spreading autonomously to other vulnerable MFPs on the same network.
The second vulnerability (CVE-2021-39237) is an information disclosure bug caused by an exposed physical port; local access is necessary as an attack vector.
These weaknesses can be exploited locally by gaining physical access to the device through printing from USB. Another possible attack vector for CVE-2021-39238 is sending an exploit payload through a browser via cross-site printing (XSP).
Successful exploitation of these vulnerabilities may allow an attacker to take control of the affected systems.
HP has issued updates to fix vulnerable versions of the printer’s firmware. Users and Administrators are encouraged to apply necessary updates.