New day, new vulnerability. HP has just released firmware patches to address a security bug disclosed by FoxGlove researchers, which enabled hackers to carry out remote code execution attacks on enterprise-grade printers. The flaw in question has been identified as CVE-2017-2750. It was reported to HP in August and has been rated 8.1 on the CVSS scale.
CVE-2017-2750 Leads to Remote Code Execution
To locate CVE-2017-2750, the researchers tested out HP’s Page Wide Enterprise MFP 586 and the HP Color LaserJet Enterprise M553 models. Both models turned out vulnerable. The researchers were able to reverse engineer the “.BDL” (bundle) extension files located in HP firmware.
Once this code was reverse engineered, the experts crafted and uploaded hatched firmware files. This is how they discovered where signature validation was happening so that the protections were bypassed successfully.
What happened next is that the researchers were able to design malware to exploit the printers’ security weaknesses and carried out remote code execution attacks.
HP has issued a security advisory where the vulnerability has been summarized as “Insufficient Solution DLL Signature Validation allows potential execution of arbitrary code”.
Affected printers include: HP Color LaserJet Enterprise M651, HP Color LaserJet Enterprise M652, HP Color LaserJet Managed E65060, HP LaserJet Enterprise 800 color MFP M880, and many more.
A firmware update is already available, and it can be downloaded manually from HP via the firmware search tool.
Earlier this year, security researchers from security firm Modzero came across a built-in keylogger in an HP audio driver while examining Windows Active Domain infrastructure.
“Security reviews of modern Windows Active Domain infrastructures are – from our point of view – quite sobering. Therefore, we often look left and right, when, for example, examining the hardening of protection mechanisms of a workstation,” the researchers said.
The keylogger has apparently been present on HP computers since Christmas 2015 or even earlier.