In the fall of 2022, Actionable Intelligence published an article describing a buffer overflow vulnerability in HP Inc. printer software, which would allow an attacker to obtain persistent remote code execution on the printer. Buffer overflow vulnerabilities are common, but what makes this one noteworthy is that it can be exploited remotely by a malicious third-party printer cartridge.
In the printer ecosystem, there is a large third-party marketplace where supplies such as toner and ink cartridges are sold at a lower cost than their official HP-branded counterparts. These third-party supplies contain chips that are designed to be updatable and reprogrammable to ensure that if the original equipment manufacturer (OEM) updates the printer, the cartridge can remain compatible and functional for the end user. However, an attacker can take advantage of this flexibility if the best security practices are not employed to prevent a malicious actor from installing malware on the cartridge.
A malicious cartridge or supply can then attack the printer over the communication interface to gain control of the printer itself. In the case of the buffer overflow vulnerability discovered in HP printers (CVE-2022-28722), the vulnerability can be exploited over the serial communication interface between the cartridge and printer.
A possible attack scenario that does not require the attacker to have physical access to the printer itself is when an attacker injects cartridges with malware, then ships them to an office as part of a promotion. Once someone installs these malicious cartridges, the buffer overflow vulnerability is exploited to gain control over the printer itself. Printers are often privy to sensitive data and reside inside corporate networks, making them attractive targets for a bad actor looking to exfiltrate confidential data or perform further attacks.
HP discovered this vulnerability through their bug bounty program, which began looking at the attack surface exposed by potentially malicious third-party cartridges in 2020. At Keysight, we routinely look at physical interfaces between components with different trust levels during security evaluations of embedded devices. Common examples are attacking a host through an exposed universal asynchronous receiver/transmitter (UART) or debug interface, modifying external flash memory, and intercepting and modifying serial communication over inter-integrated circuit (I2C) or serial peripheral interface (SPI) buses exposed at the board level.
Typically, when considering these attack vectors, we assume that physical access to the target is required, making these a lower priority for an examination compared to the attack surface that the network interface provides. The unique ecosystem of third-party printer supplies requires these printer OEMs to re-examine these priorities. We recommend that the code handling the communication between the printer and supplies be reviewed for vulnerabilities in addition to performing testing on the device itself under the assumption that any input from the supplies is untrusted. OEMs should also evaluate the security of their own supplies against malicious modification.
HP patched the buffer overflow vulnerability as part of a firmware update and encouraged customers to keep their systems up to date. However, the Actionable Intelligence article mentions that for customers relying on third-party supplies, there is often the opposing incentive to not update the printer for fear that the supplies will no longer function.