The bug could permit cyberattackers to bypass security items, tamper with info and run code in kernel method.
Scientists have unveiled specialized particulars on a significant-severity privilege-escalation flaw in HP printer motorists (also employed by Samsung and Xerox), which impacts hundreds of thousands and thousands of Windows machines.
If exploited, cyberattackers could bypass security goods install programs view, transform, encrypt or delete knowledge or create new accounts with more substantial person rights.
The bug (CVE-2021-3438) has lurked in methods for 16 yrs, scientists at SentinelOne reported, but was only uncovered this yr. It carries an 8.8 out of 10 ranking on the CVSS scale, earning it large-severity.
In accordance to researchers, the vulnerability exists in a operate inside the driver that accepts facts despatched from Person Method by way of Enter/Output Regulate (IOCTL) it does so without having validating the size parameter. As the name suggests, IOCTL is a procedure get in touch with for gadget-specific input/output operations.
“This operate copies a string from the consumer enter utilizing ‘strncpy’ with a dimension parameter that is controlled by the person,” in accordance to SentinelOne’s investigation, introduced on Tuesday. “Essentially, this enables attackers to overrun the buffer employed by the driver.”
Therefore, unprivileged users can elevate themselves into a Technique account, enabling them to run code in kernel manner, considering the fact that the susceptible driver is locally out there to any individual, according to the company.
The printer-based attack vector is best for cybercriminals, in accordance to SentinelOne, given that printer drivers are primarily ubiquitous on Windows devices and are quickly loaded on each startup.
“Thus, in result, this driver receives installed and loaded without the need of even inquiring or notifying the person,” stated the researchers. “Whether you are configuring the printer to operate wirelessly or by way of a USB cable, this driver receives loaded. In addition, it will be loaded by Windows on just about every boot. This makes the driver a best candidate to target given that it will normally be loaded on the machine even if there is no printer linked.”
Weaponizing the bug might demand chaining other vulnerabilities to realize first entry into an surroundings. So significantly, no in-the-wild attacks have been noticed.
“While we have not viewed any indicators that this vulnerability has been exploited in the wild up until now, with hundreds of hundreds of thousands of enterprises and users at the moment vulnerable, it is inescapable that attackers will seek out those that do not choose the proper motion,” researchers warned.
How to Take care of the HP Printer-Driver Bug
Because the bug has existed due to the fact 2005, it impacts a very prolonged record of printer types, scientists mentioned impacted models and linked patches can be identified right here and right here.
Device-driver vulnerabilities are not unusual, so SentinelOne also prompt lowering the attack surface with some very best methods, together with implementing strong access management lists (ACLs), which command obtain to deals, folders, and other elements (these types of as companies, document kinds and requirements) at the team degree. And, it is a very good notion to validate consumer enter and not expose a generic interface to kernel method functions, they extra.
“While HP is releasing a patch (a fixed driver), it ought to be pointed out that the certificate has not still been revoked at the time of producing,” according to SentinelOne. “This is not regarded as most effective follow since the susceptible driver can nevertheless be made use of in convey-your-possess-vulnerable-driver (BYOVD) attacks.”
Some Windows machines might presently have the susceptible driver without having even functioning a focused set up file, researchers warned, given that it arrives with Microsoft Windows through Windows Update.
“This high-severity vulnerability impacts hundreds of thousands and thousands of devices and thousands and thousands of end users worldwide,” according to SentinelOne. “The impact this could have on consumers and enterprises that fail to patch is significantly-reaching and considerable.”
SentinelOne has found preceding vulnerabilities these kinds of as a group influencing Dell’s firmware update driver that remained concealed for 12 years. In that circumstance, discovered in May perhaps, five higher-severity security flaws in have been found to effect probably hundreds of thousands and thousands of Dell desktops, laptops, notebooks and tablets. They could let the capability to bypass security solutions, execute code and pivot to other pieces of the network for lateral motion, in accordance to SentinelLabs.
Test out our free upcoming are living and on-demand webinar events – exceptional, dynamic discussions with cybersecurity professionals and the Threatpost local community.
Some parts of this report are sourced from: