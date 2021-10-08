Security researchers have published details about two serious vulnerabilities that impact over 150 different HP multifunction printer models with FutureSmart firmware going back at least nine years. The attack vectors associated with the flaws and their impact serve as a reminder that printers can pose significant security risks to enterprise networks if not properly secured, updated and segmented.

"For one, the vulnerabilities date back to at least 2013 and affect a large number of HP products released," researchers from security firm F-Secure, who found the flaws, said in their report. "HP is a large company that sells products all over the world. Many companies are likely using these vulnerable devices. To make matters worse, many organizations don’t treat printers like other types of endpoints. That means IT and security teams forget about these devices’ basic security hygiene, such as installing updates."

Exploiting one of the vulnerabilities requires physical access and can be done through physical ports that are exposed on its communications board. A skilled attacker with physical access to a vulnerable MFP would need around five minutes to perform the attack and deploy a stealthy implant that could take full control of the device and exfiltrate potentially sensitive information.

The second vulnerability is even more dangerous because it's located in the firmware's font parsing code and essentially allows anyone who can print a specifically crafted file to execute malicious code on the vulnerable MFPs. The vulnerability is wormable and exploitation can be achieved in seconds through multiple remote attack vectors, including by users visiting malicious websites.