Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

HP Disputes Printer Security Vulnerabilities

Weaknesses in printer networking software could be used to bypass authentication, deny service and retrieve documents from any user, Spanish researcher says.

Who Is Hacking U.S. Banks? 8 Facts
Who Is Hacking U.S. Banks? 8 Facts
(click image for larger view and for slideshow)
HP is disputing the feasibility of several vulnerabilities in its JetDirect print server software that recently were highlighted by a researcher.

Information security researcher Sebastian Guerrero said that by using HP printer language command tags, he'd been able to retrieve other people's print jobs or assign them to a different user -- thus bypassing fingerprint or smart card checks built into a printer -- as well as crash a printer by using printer-command tags containing unexpected content.

"Based on what was disclosed it appears that the device was intentionally sent a corrupting job -- basically to try and disable the printer," said Keith Moore, chief technologist at HP LaserJet Solutions group, speaking by phone about one of the disclosed vulnerabilities. "If you're intentionally sending corrupt print jobs, yes the printer has a hard time knowing what to do with that, but that's where rebooting [comes in]," said Moore.

[ HP is not the only vendor whose printers carry certain security risks. Read Samsung Printers Have Hidden Security Risk. ]

"The other claims don't seem to be supported, and if you properly configure the device --as we recommend -- [they] technically can't be done," said Moore.

"HP takes our customers' security very seriously," said a spokeswoman in a follow-up email. "Our team has investigated the security allegations ... and determined that the claims that someone can bypass built-in biometric defenses and recover previously printed documents are false."

The crucial point in HP's rebuttal of parts of Guerrero's research, however, hangs on printers being properly configured, and to put that into practice, Moore pointed to "HP Imaging and Printing Security Best Practices," a document HP developed for distribution by the National Institute of Standards and Technologies (NIST). One of the document's chief recommendations is that printer administrators use the free HP Web Jetadmin, which is billed as "the recommended management tool for all HP network printing and digital sending products," and which can control all of the settings that HP recommends be set to maximize security.

Those configurations boil down to one recommendation: "It's essentially setting passwords on devices, or in businesses or enterprises especially, we'd encourage people to use something like HP Access Control, where the document won't even come out until you're standing at the device," said Moore, referring to HP Access Control (HPAC) Printing Solutions, which is designed to secure sensitive and confidential information in printing environments.

Late last week, Moore said HP was still trying to contact Guerrero to ensure that it's obtained a full disclosure of all vulnerabilities. But Guerrero, who's a researcher at viaForensics, reported via email that he'd already been in touch. "I can assure you that I have been in contact with them and furthermore, they were aware of these vulnerabilities before my article was published," he said.

In fact, in his research Guerrero already had noted that some of his exploits were feasible only when the printer didn't have a password enabled. Discussing viewing someone else's print jobs, for example, "I think this one has been misunderstood," he said. "As I said before, the printer has a log, where the jobs sent are stored, and some printers include the possibility to preview these jobs. If the printer doesn't use a password you can get access to the log and see the document."

But not all of the vulnerabilities he identified revolve around passwords. For example, to assign a document to a different user, "you can set some PCL/PJL tags in order to assign a job to a user, independent of whether the printer did -- or did not -- set a password," he said. "If you send the job to its queue, the job will be registered on the log with the information stored in its tags."

Guerrero emphasized that there's no coding flaw here. "It's just a leak of security on the printer, this is not HP's bug," he said. "Furthermore, this vulnerability affects printers from more manufacturers, for example, Ricoh. I can assure you that."

Another security concern is that any printers inside the network -- from HP or otherwise -- would be vulnerable to remote attacks that retrieve documents that have been printed using the device, or install custom malicious malware, especially if the printers didn't have passwords enabled or aren't running security software such as HPAC. HP's Moore, however, dismissed the threat of remote exploits of machines running JetDirect. "Typically, a firewall blocks [external attacks], so remote attacks are unlikely," he said.

But Michael Sutton, VP of security research for Web security firm Zscaler Labs, has published research showing that embedded Web servers in devices -- such as printers and photocopiers -- are often Internet-connected and unsecured with either passwords or firewalls. That would make the devices of interest for corporate espionage purposes.

Similarly, blogger Adam Howard at Port3000 posted a Google search Friday that turns up thousands of Internet-connected printers. "A quick, well crafted Google search returns 'about 86,800 results' for publically accessible HP printers," said Howard. "There's something interesting about being able to print to a random location around the world, with no idea of the consequence. Lock down your printer :) PS: There are security concerns here, as many printer models have known exploits which can be used as an entry point to a private network."

Likewise, a Google search for LCDispatcher ("inurl:hp/device/this.LCDispatcher") shared by the Google Dorks website -- amongst other locations -- returned 968,000 hits. LCDispatcher is a component in Internet-connected print servers running JetDirect, meaning the hits are apparently all printers that have their configuration pages available via the Internet.

InformationWeek is surveying IT executives on global IT strategies. Upon completion of our survey, you will be eligible to enter a drawing to receive an Apple 32-GB iPad mini. Take our

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Ninja
2/3/2013 | 5:25:07 PM
re: HP Disputes Printer Security Vulnerabilities
So what exactly is HP stating, that if you launch a no holds barred attack then only is printer vulnerable? If Sebastian Guerrero has documented evidence, then what is in dispute here? It makes HP look even worse, then admitting and addressing the vulnerability. I agree that it is standard practice to change the default password, but HP has to take that into consideration that non-technical people will be using their printers and should have some step-by-step walk through for automatically changing your password before it goes live on your network.

Paul Sprague
InformationWeek Contributor
User Rank: Apprentice
1/30/2013 | 4:08:06 PM
re: HP Disputes Printer Security Vulnerabilities
I am quite certain that the majority of individuals and SMB's that use network capable printers are unaware of how they can be exploited. This is an awareness issue.

Almost all "network capable" printers these days have the ability to be managed remotely using their embedded web server. While that makes it convenient to manage the printer by not having to physically use the printer's controls, it opens up Pandora's box in how a given printer can be exploited.

I would bet the farm that most individuals and SMB's buy a printer, stick it on their network, and never change the default password - which is well known. HP (in particular) is dreaming if they think most customers will take the time to download and use their management tools to secure the printer. This is/has not been top of mind for most companies.
7 Old IT Things Every New InfoSec Pro Should Know
Joan Goodchild, Staff Editor,  4/20/2021
Cloud-Native Businesses Struggle With Security
Robert Lemos, Contributing Writer,  5/6/2021
Defending Against Web Scraping Attacks
Rob Simon, Principal Security Consultant at TrustedSec,  5/7/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2021-05-15
A XSS Vulnerability in /uploads/dede/action_search.php in DedeCMS V5.7 SP2 allows an authenticated user to execute remote arbitrary code via the keyword parameter.
PUBLISHED: 2021-05-15
DedeCMS V5.7 SP2 contains a CSRF vulnerability that allows a remote attacker to send a malicious request to to the web manager allowing remote code execution.
PUBLISHED: 2021-05-14
The Linux kernel before 5.11.14 has a use-after-free in cipso_v4_genopt in net/ipv4/cipso_ipv4.c because the CIPSO and CALIPSO refcounting for the DOI definitions is mishandled, aka CID-ad5d07f4a9cd. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
In the Linux kernel before 5.12.4, net/bluetooth/hci_event.c has a use-after-free when destroying an hci_chan, aka CID-5c4c8c954409. This leads to writing an arbitrary value.
PUBLISHED: 2021-05-14
The block subsystem in the Linux kernel before 5.2 has a use-after-free that can lead to arbitrary code execution in the kernel context and privilege escalation, aka CID-c3e2219216c9. This is related to blk_mq_free_rqs and blk_cleanup_queue.