Verder naar navigatie Doorgaan naar hoofdinhoud Ga naar de voettekst

Technical Advisory: Multiple Vulnerabilities in HP Printers

Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers:

Multiple Buffer Overflows in IPP Service (CVE-2019-6327)
Buffer Overflow in Web Server (CVE-2019-6326)
Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324)
Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)

 

Technical Advisories:

Multiple Buffer Overflows in IPP Service (CVE-2019-6327)

Vendor: HP
Vendor URL: https://support.hp.com/us-en/document/c06356322 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-6327
Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)

Summary

Some HP printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in different parameter names and values of the IPP service of HP devices that allow an attacker to crash the device and potentially execute arbitrary code.

CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

Printer Name Model Number Firmware Version
HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES T6B80A, T6B83A, T6B81A, T6B82A <20190419
HP LASERJET PRO MFP M28-M31 PRINTER SERIES W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A <20190426

 

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process.
2019-05-30: HP Security Bulletin released 
2019-06-26: NCC Group Advisory released

References

HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322

CVE-2019-6327
https://nvd.nist.gov/vuln/detail/CVE-2019-6327

 

Buffer Overflow in Web Server
(CVE-2019-6326)

Vendor: HP
Vendor URL: https://support.hp.com/us-en/document/c06356322 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-6326
Risk: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)

Summary

Some HP printers were affected by a buffer overflow vulnerability in the web application that would allow an attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.

Impact

Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.

Details

Specially crafted requests with long parameter values will cause a vulnerable device to crash. A buffer overflow vulnerability has been identified in a parameter value of HP devices that allow an attacker to crash the device and potentially execute arbitrary code.

CVSSv3 Base Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 1.2

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

Printer Name Model Number Firmware Version
HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES T6B80A, T6B83A, T6B81A, T6B82A <20190419
HP LASERJET PRO MFP M28-M31 PRINTER SERIES W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A <20190426

 

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process.
2019-05-30: HP Security Bulletin released 
2019-06-26: NCC Group Advisory released

References

HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322

CVE-2019-6326
https://nvd.nist.gov/vuln/detail/CVE-2019-6326

 

Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324)

Vendor: HP
Vendor URL: https://support.hp.com/us-en/document/c06356322 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-6323, CVE-2019-6324
Risk: CVE-2019-6323: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
 CVE-2019-6324: 4.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)

Summary

Multiple Cross-Site Scripting vulnerabilities, including Stored Cross-Site Scripting issues, were found in the HP Management Web Application.

Impact

Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.

Details

Several functionalities related with the WiFi configuration were vulnerable to Cross-Site Scripting attacks. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.

CVE-2019-6323:
CVSSv3 Base Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 2.8

CVE-2019-6324:
CVSSv3 Base Score: 4.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 1.7

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

Printer Name Model Number Firmware Version
HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES T6B80A, T6B83A, T6B81A, T6B82A <20190419
HP LASERJET PRO MFP M28-M31 PRINTER SERIES W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A <20190426

 

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process.
2019-05-30: HP Security Bulletin released 
2019-06-26: NCC Group Advisory released

References

HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322

CVE-2019-6323
https://nvd.nist.gov/vuln/detail/CVE-2019-6323

CVE-2019-6324
https://nvd.nist.gov/vuln/detail/CVE-2019-6324

 

Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)

Vendor: HP
Vendor URL: https://support.hp.com/us-en/document/c06356322 
Versions affected: See Devices Affected section
Devices affected: See Devices Affected section
Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com
 Mario Rivas – mario.rivas[at]nccgroup[dot]com
Advisory URL / CVE Identifier: CVE-2019-6325
Risk: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)

Summary

The Cross-Site Request Forgery countermeasures of the HP management web application was not properly implemented, and it was possible to bypass it. As a result, CSRF attacks could be performed within any domain that contained the hostname of the device.

Impact

Successful exploitation of this vulnerability can lead to an administrator unwittingly performing actions within the application such as adding accounts to the system or changing settings.

Details

The mechanism to avoid Cross-Site Request Forgery attacks of the HP management web application did not properly check the Referer and Origin headers. As an example, if the hostname of a printer is “hp01.local”, it would accept Origin and Referer headers coming from “hp01.local.nccgroup.com”.

CVSSv3 Base Score: 8.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8

Proof of Concept

Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.

Devices Affected

The table below shows the devices and firmware versions affected:

Printer Name Model Number Firmware Version
HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES T6B80A, T6B83A, T6B81A, T6B82A <20190419
HP LASERJET PRO MFP M28-M31 PRINTER SERIES W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A <20190426

 

Vendor Communication

2019-02-19: Responsible Vulnerability Disclosure process initialized
Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process.
2019-05-30: HP Security Bulletin released 
2019-06-26: NCC Group Advisory released

References

HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322

CVE-2019-6325
https://nvd.nist.gov/vuln/detail/CVE-2019-6325

About NCC Group

NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.