Details have emerged about the 16-year-old security flaw discovered in HP. Xerox and Samsung Printers drivers. It permits the threat actors to achieve admin privileges on the system using the vulnerable driver software.
“This high asperity vulnerability, which has been discovered in HP, Samsung, and Xerox printer software since 2005, affects more than million of devices and millions of users over the world, according to a SentinelOne report posted today and share with our experts.”
The security flaw tracked as CVE-2021-3438 is a buffer overflow in a print driver installer package dubbed as “SSPORT.SYS” that can permit remote privilege and arbitrary code execution. More than millions of printers have been released across the world to date with the vulnerable driver in question.
How does this Vulnerability work?
However, there is not any information about that flaw that was abused in real-world attacks. As the investigators discovered, the wagon driver automatically gets installed with the printer software and will be loaded by Windows right after each system reboot.
This makes it the perfect target for attackers who required an easy way to expand privileges since the flaw can be harmed even when the printer is not connected to the targeted device.
The successful exploitation needs local user access which means that threat actors will require to first getting a foothold on the targeted devices.
Once this is achieved, they can harm the security flaw to expand privileges in low complexity attacks without needing user interaction.
The result is that attackers with common user privileges can raise their privileges to SYSTEM and run the code in Kernel mode, probably avoiding the security products that would block their attacks or the transmission of additional malicious payloads.
“Successfully exploiting driver vulnerability might permit attackers to possibly install the programs, encrypt or delete information, view, change, or create a new accounts with full user rights,” SentinelOne explains.
“While we have not seen any signal that this vulnerability has been exploited in the wild up till now, with hundreds of millions of enterprise and users vulnerable at a time, it is inescapable that threat actors will seek out those that do not take the right actions.”
Users Urged to Update Promptly
A list of affected printer models using the vulnerable driver can be discovered in HP’s security advisory and this Xerox security mini bulletin.
The issue was first reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which remedies have been posted for the affected printers as of May 19, 2021.
“The vulnerable function inside the driver accepts information sent from User Mode via IOCTL (Input /Output Control) without validating the size parameters,” SentinelOne researcher Asaf Amir said in a report shared with our experts. “This function directly copies a string from the user input using ‘strncpy’ with a size parameter that is managed by the users. Most importantly, this permits the attackers to overrun the buffer utilized by the driver.”
HP, Xerox, and Samsung enterprise, and home customers are urged to apply the patches given by the two vendors as soon as possible.
“Some Windows machines may already have this driver without even running a dedicated installation file, since this driver comes with Microsoft Windows via Windows update,” the investigators said.
In early this year, SentinelOne researchers discover a 12-year-old privilege escalation bug in Microsoft Defender Antivirus (formerly Windows Defender) that can let attackers achieve admin privileges on unpatched Windows systems.
Microsoft Defender Antivirus is the default anti-malware solution on more than 1 billion systems running Windows 10 per Microsoft’s stats.