Finding HP printers and MFPs vulnerable to Printing Shellz

, by Pearce Barry

Do you have HP printers and multi-function printers (MFPs)? You might want to look at the two recently published vulnerabilities that affect 150+ models. Named “Printing Shellz” by the F-Secure security researchers who reported them, these vulns have been around for ~8 years.

When successfully exploited, can provide attackers with:

  • CVE-2021-39237, “medium” CVSS score of 4.6 - Information disclosure via exposed connectors to gain shell access (requires physical access to the vulnerable device).
  • CVE-2021-39238, “critical” CVSS score of 9.8 - Remote code execution via buffer overflow in the font parsing logic.

HP LaserJet, PageWide, OfficeJet, and ScanJet product lines all contain vulnerable models. You can find the full lists in HP’s posted advisories: CVE-2021-39237 and CVE-2021-39238.

HP released patched firmware last month and urged owners of affected printers to update their firmware as soon as possible. F-Secure’s researchers also offer some mitigation strategies, as well in section 6 of their writeup.

How to find vulnerable HP printers and MFPs with Rumble

From the Asset Inventory, use the following pre-built query to locate potentially vulnerable HP printer and MFP assets within your network:

NOT hardware:"JetDirect" AND (mac_vendor:"HP" OR mac_vendor:="Hewlett Packard%" OR hardware:"HP%" OR hardware:="Hewlett Packard%") AND (type:printer OR os.family:"LaserJet" OR NOT (os:"%iLO%" OR type:switch OR type:computer))
Find HP printers

You can also search via the Service Inventory, using the following pre-built query to locate potentially HP printer and MFP services within your network:

_asset.protocol:http AND protocol:http AND ((html.title:="HP %LaserJet%" OR banner:="HP %LaserJet%") OR (html.title:="HP %PageWide%" OR banner:="HP %PageWide%") OR (html.title:="HP %OfficeJet%" OR banner:="HP %OfficeJet%") OR (html.title:="HP %ScanJet%" OR banner:="HP %ScanJet%"))
Find HP printers

Note that results from the above queries may contain models that are not vulnerable, so manual verification against the full lists of affected models published by HP (here and here) is needed.

As always, any prebuilt queries we create are available from our Queries Library. Check out the library for other useful inventory queries.

Try Rumble

Don’t have Rumble and need help finding your FortiWeb assets? Start your Rumble trial today.

Similar Content

January 14, 2022

Ringing in 2022 with vulns, more vulns, and CISA guidance

Wrapping up 2021 and kicking off 2022, there were no shortages of vulnerabilities, vendor security advisories, patches, and active exploitations. Oh, did we mention, even more vulnerabilities and more patches? To ring in 2022 accordingly, let’s discuss some recent …

Read More

December 10, 2021

Finding applications that use Log4J

Last updated on January 17, 2021 at 16:00 CST (-0600) Rumble can help you build an up-to-date asset inventory and search for assets that may be affected by the recent spate of Log4J vulnerabilities (e.g. Log4shell, etc.). You can then share the results with your security …

Read More

December 8, 2021

Finding Grafana instances

A zero-day vulnerability for Grafana, a popular analytics and visualization software, was leaked this week. This vulnerability provides attackers a path traversal attack vector that can result in data disclosure, resulting in access to files containing confidential …

Read More