A SECURITY flaw in up to 150 models of HP printers allowed them to be hacked through a simple email exposing your personal information, according to a new report.
Cybersecurity researchers revealed that the critical flaw dated back to 2013 and could allow hackers to steal information from anything printed or scanned using the device.
1
The researchers from F-Secure highlighted that printers are often connected to business networks and could leave confidential company information exposed if targeted.
The flaws have since been patched by HP.
The F-Secure research team conducted tests involving the HP MFP M725z model.
However, it also reportedly affected the HP Color LaserJet Enterprise, HP LaserJet Enterprise, HP PageWide, HP OfficeJet Enterprise Color, and HP ScanJet Enterprise 8500 FN1 Document Capture Workstation ranges, according to ZDNET.
The security breach included two flaws that were collectively named Printing Shellz.
They were discovered by the F-Secure Labs researchers Timo Hirvonen and Alexander Bolshev on April 29, 2021, with HP announcing the fix earlier this month.
The first flaw the team highlighted in the report was named CVE-2021-39238 and assigned a 9.3 severity score.
It was described as a “buffer overflow vulnerability impacting certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, and HP PageWide Managed products.”
The second was named CVE-2021-39237 with a severity score of 7.1.
This was described as “an information disclosure vulnerability impacting certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers.”
The team released a video demo of the flaw in action, showing how a simple click on a spam email could trigger a code that would target a connected printer.
It was also reportedly possible for the flaw to attack a unit through a USB being used for printing.
“These vulnerabilities give attackers an effective way to steal information: defenders are unlikely to proactively examine the security of a printer, and so the attacker can simply sit back and steal whatever information it comes across (via employees printing, scanning, etc),” the F-Secure team said.
“They could also use the MFP as a pivot point to move through the corporate network.”
‘NO EVIDENCE OF EXPLOITATION’
“The flaws are in the unit’s communications board and font parser,” researchers Hirvonen and Bolshev added.
“An attacker can exploit them to gain code execution rights, with the former requiring physical access while the latter can be accomplished remotely.
“A successful attack will allow an adversary to achieve various objectives, including stealing information or using the compromised machine as a beachhead for future attacks against an organization.”
However, it was noted that no evidence existed that these flaws had been exploited by hackers before HP introduced a fix.
“Any organizations using affected devices should install the patches as soon as they’re available,” the researchers said.
“While exploiting these issues is somewhat difficult, the public disclosure of these vulnerabilities will help threat actors know what to look for to attack vulnerable organizations.”
It comes as Google users are urged to double-check their passwords in the face of phishing schemes, data grabs, and other attempts to steal personal information via Gmail, Google Drive, and Google Chrome activity.
GOOGLE USERS WARNED
Because Google accounts act as a centralized hub for many users, they can be a valuable mine of data for hackers, especially when it comes to Gmail accounts that are tied to other websites.
Hackers can exploit a Google account through various avenues to obtain personal information, so users need to be wary of the many openings for
“It’s risky to use the same password on multiple sites,” Google advises on its security page.
“If your password for one site is hacked, it could be used to get into your accounts for multiple sites,” the tech company explains.
Last week, Google also issued an urgent warning over Cloud accounts as Cryptocurrency miners target users and compromise them within 22 seconds.
Google’s cloud service is a collection of remote computing services which can include storage of customers’ data and files off-site – and gives advice on how to tackle them.
“The report’s goal is to provide actionable intelligence that enables organizations to ensure their cloud environments are best protected against ever-evolving threats,” Google said in its report.
“In this and future threat intelligence reports, the Google Cybersecurity Action Team will provide threat horizon scanning, trend tracking, and Early Warning announcements about emerging threats requiring immediate action.”
We pay for your stories!
Do you have a story for The US Sun team?
I’m a tech expert and I found a Gmail trick that almost no one knows exists
