Researchers have released technical details on a high-severity privilege-escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines.
The bug could allow cyber-attackers to bypass security products, tamper with data and run code in kernel mode.
If exploited, cyber-attackers could bypass security products; install programs; view, change, encrypt or delete data; or create new accounts with more extensive user rights.
Only Uncovered in 2021
The bug (CVE-2021-3438) has hidden in systems for 16 years, researchers at Sentinel One stated, but was only uncovered in 2021. It carries an 8.8 out of 10 rating on the CVSS scale, making it high severity.
Outlined researchers, the vulnerability exists in a function inside the driver that accepts data sent from User Mode via Input/Output Control (IOCTL); it does so without validating the size- parameter.
As the name suggests, IOCTL is a system call for device-specific input/output operations.
“This function copies a string from the user input using ‘strncpy’ with a size parameter that is controlled by the user,” according to Sentinel One’s analysis, released on Tues.. “Essentially, this allows attackers to overrun the buffer used by the driver.”
So, unprivileged users can elevate themselves into a SYSTEM account, allowing them to run code in kernel mode, since the vulnerable driver is locally available to anyone, explains the firm.
The printer-based attack vector is perfect for cyber-criminals, according to Sentinel One, since printer drivers are essentially common on Windows machines & are automatically loaded on every start-up.
“Thus, in effect, this driver gets installed & loaded without even asking or notifying the user,” explained the researchers.
“Whether you are configuring the printer to work wirelessly or via a USB cable, this driver gets loaded. In addition, it will be loaded by Windows on every boot. This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected.”
Weaponizing the bug might require chaining other vulnerabilities to achieve initial access into an environment. So far, no in-the-wild attacks have been observed.
“While we haven’t seen any indicators that this vulnerability has been exploited in the wild up till now, with 100s of millions of enterprises & users currently vulnerable, it is inevitable that attackers will seek out those that do not take the appropriate action,” researchers warned.
Fix the HP Printer-Driver Bug
Device-driver vulnerabilities are not uncommon, so Sentinel One also suggested reducing the attack surface with some best practices, including enforcing strong access control lists (ACLs), which control access to packages, folders, other elements (such as services, document types & specifications) at the group level.
Also, it is useful to verify user input & not expose a generic interface to kernel mode operations, they added.
“While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing,” according to Sentinel One. “This is not considered best practice since the vulnerable driver can still be used in bring-your-own-vulnerable-driver (BYOVD) attacks.”
Some Windows machines may already have the vulnerable driver without even running a dedicated installation file, researchers warned, since it comes with Microsoft Windows via Windows Update.
“This high-severity vulnerability affects 100s of millions of devices & millions of users worldwide,” according to Sentinel One. “The impact this could have on users & enterprises that fail to patch is far-reaching & significant.”
Sentinel One has found previous vulnerabilities such as a group affecting Dell’s firmware update driver that remained hidden for 12 years. In that case, revealed in May, 5 high-severity security flaws in were found to impact potentially 100s of millions of Dell desktops, laptops, notebooks & tablets.
They could allow the ability to bypass security products, execute code & pivot to other parts of the network for lateral movement, according to Sentinel Labs.