The vulnerability, which has been assigned the CVE-2021-3438 identifier, affects hundreds of millions of Windows machines. What is most concerning about this issue is that it has been present for at least 16 years, whereas its discovery was made this year. The discovery is attributed to SentinelOne researchers.
“Since 2005 HP, Samsung, and Xerox have released millions of printers worldwide with the vulnerable driver,” the security company pointed out.
“Several months ago, while configuring a brand new HP printer, our team came across an old printer driver from 2005 called SSPORT.SYS thanks to an alert by Process Hacker once again. This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years,” the researchers said.
Unfortunately, the list of affected printers includes more than 380 different HP and Samsung models, and at least a dozen of Xerox products. However, since all the affected models are all manufactured by HP, SentinelOne reported the issue to them.
CVE-2021-3438 Technical Description
According to MITRE’s description, the vulnerability refers to a potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers. If exploited, the bug could create an escalation of privilege condition.
More specifically, the vulnerability exists in a function within the driver that accepts data sent via User mode and Input/Output Control. This is done without validating the size parameter.
“This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user. Essentially, this allows attackers to overrun the buffer used by the driver,” SentinelOne explained.
The issue could allow unprivileged users to elevate their rights to a SYSTEM account, enabling them to run code in kernel mode. This is possible, because the vulnerable driver is locally available to anyone.
Printer-based vulnerabilities create an excellent attack vector for cybercriminals, as they are essentially omnipresent on Windows systems, and are loaded automatically on system startup.
This means that the driver gets installed and loaded without any prior user notification.
“Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected,” the researchers pointed out.
Cybercriminals may need to chain several vulnerabilities together to obtain initial access to a system. Fortunately, no active attacks have been detected in the wild.
Users should refer to HP’s support page to locate their printer model and download the available patch file.
It should be noted that “some Windows machines may already have this driver without even running a dedicated installation file, since the driver comes with Microsoft Windows via Windows Update,” SentinelOne said.
“With millions of printer models currently vulnerable, it is inevitable that if attackers weaponize this vulnerability they will seek out those that have not taken the appropriate action,” the company concluded.
A few years ago, security researchers reported two critical security issues in HP printers. One of the vulnerabilities resided in the firmware of certain HP printers, and it was classified as very critical. This vulnerability is known as CVE-2018-5924 and affected an unknown function.
The second vulnerability, CVE-2018-5925, was related to the first one.