Researchers of F-Secure recently released the details of two critical Remote Code Execution (RCE) vulnerabilities (CVE-2021-39238 and CVE-2021-39237) affecting 150 types of HP printers. The vulnerabilities are believed to be at least 8 years old and impact millions of devices around the world.
Fixing printer vulnerabilities is low on the to-do list of the security teams. They are not a critical resource or repository by themselves and they are not considered to be directly exposed to remote attackers. But here’s why this story should ring a warning bell with security teams and need to be placed high, actually, on the network security agenda:
- Printers are exposed to external attackers: Many printers support Peer-to-Peer wireless capabilities which are enabled by default. Through this interface ANY rogue Wi-Fi device within a 100 feet of the printer could exploit a printer vulnerability. Security teams rarely have procedures to ensure the disabling of such interfaces and currently have no tools for ensuring that these interfaces remain disabled. Moreover, printers that support Wi-Fi Direct are exposed to the Internet via tools such as Wigle.net that rely on mobile phones-in-transit to report their existence.
- Printers can be remotely attacked. An attacker does not actually need to be physically within 100 feet of the vulnerable printer in order to launch an attack. The abundance of insecure wireless devices in public space provides the attacker with ample opportunity to remotely take over such a device and use it as a launchpad for the attack against the printer. These so-called Antenna for Hire could be a security camera across the street, a laptop of a careless neighbor or even the wireless router of the cafe in the building lobby.
- Printers have nothing but the most basic security on them. Printers cannot be installed with EDR software and hence rely on very basic security capabilities built into their firmware. Additionally there is no solid mechanism for centralized management of security configurations for printers. Even security patch-application is not centrally managed. Hence, if vulnerable, printers make a perfect entry and exit point for attackers as organizations remain pretty much oblivious to what happens inside the printer’s software.
- Printers provide weak forensic capabilities Unlike many servers, stations and gateways in a corporate network that can be configured to collect and provide extensive forensic data, printers have limited logging capabilities and are rarely configured to actually use these capabilities, let alone collect them centrally.
The Issues Goes Beyond Printers
Apparently printers and other Wi-Fi devices, including IT peripherals, IoT and OT devices, are directly exposed to remote attackers. Vulnerable devices of this type present an immediate risk to the corporate network to which they connect. Recent examples include printers, security cameras, and various types of medical devices.
According to this survey by Palo Alto Networks, “78% of IT decision-makers who have IoT devices connected to their organization’s network reported an increase in non-business IoT devices on corporate networks in the last year.”
Security teams must acknowledge this new attack surface comprised of many devices with the following characteristics:
- Exposure to wireless traffic
- Weak built-in security
- Lack of centralized security management
- Lack of enhanced security
- Scarce forensic data
What can security teams do?
Since exposure is through wireless traffic, security teams need to put in place solutions that will help them regain control of the this new attack surface:
- Continuously monitor the network airspace and classify what is a corporate asset and what isn’t.
- Feed that knowledge to determine violations of your wireless security policy, such as a non-corporate device attempting to connect to a printer, or the printer attempting to connect to the device.
- Prevent that dangerous interaction
The best way to go around this would be to implement a Network Airspace Control and Protection (NACP) solution which, in a laser-focus way, prevents the violating interaction. It does so without requiring any network configuration changes or architectural changes in order to fit in seamlessly within your network security stack.