Support, News and Updates

Support

Fax Exploit in HP All-in-One Printers disclosed

On July 31st, 2018 HP announced they were offering up to $10,000 bug-bounty in partnership with a crowd sourcing security site Bugcrowd.com. It’s now become public that back in May 2018, a major security flaw was found in many HP All-in-one fax/printers using ink jet technology. CheckPoint Research reported the fax exploit to HP in early May and to the public on August 12th. It’s unknown if CheckPoint’s revealing of this fax exploit was the primary reason why HP decided to participate in the first ever ‘printer’ related security crowd sourcing bounty on July 31st. After further research and testing by HP, the fax exploit was patched via a firmware update released on August 1st, 2018.

The ‘faxploit’ reported by CheckPoint allows an attacker to send a payload by sending a full-color fax to the victims HP All-in-one ink jet fax/printer. The image file with embedded payload is then saved to the printers memory in jpeg format without sanitation, causing a stack-based buffer overflow and allowing remote code execution.  The attacker can now program the fax printer to perform other tasks.  If the device is connected to your network, it’s possible to infect connected machines with malware.

When we started our research, our goal was to show that the fax machine, which is now mostly embedded in all-in-one printers, poses a security risk that was yet to be considered by the research community. In our research we presented the ITU T.30 fax protocol, including some of its extensions, such as Annex E that defines how to send colourful faxes. These protocols, defined in the 90s, use complex state machines, complicated compressions and several hard to implement extensions.

Using the HP Officejet Pro 6830 all-in-one printer as a test case, we were able to demonstrate the security risk that lies in a modern implementation of the fax protocol. Using nothing but a phone line, we were able to send a fax that could take full control over the printer, and later spread our payload inside the computer network accessible to the printer.

We believe that this security risk should be given special attention by the community, changing the way that modern network architectures treat network printers and fax machines. From now on, a fax machine should be treated as a possible infiltration vector into the corporate network.

Please see HP All-in-one Printer FAX Exploit Firmware Update to update your firmware if your model is listed.

How does it work?

It uses a vulnerability in the firmware of the printer to allow a JPEG file to be received and saved in the memory of the printer, causing a stack-buffer overflow and allowing remote code execution. Similar to a vulnerability found in WinFax PRO viewer control disclosed in 2009, and reported here

Does this affect other models/makes of Fax Machines?

This research by CheckPoint was done on a HP Officejet Pro 6830 all-in-one ink printer with fax support. HP has confirmed this exploit is applicable to additional models of the HP ink-jet type printer with fax capability. It is possible that other manufacturers may use the same type of embedded software to control the fax hardware. In this case, the exploit may be possible on other fax devices that use similar embedded technology.

How to prevent this exploit:

Update your printer firmware as recommended by the manufacturer (You should do this as soon as possible)

If you are unable to update your firmware and are concerned about this exploit,

Disable Color Fax support in your All-in-one Printer.
Turn off Fax Auto-answer in your All-in-one Printer
Disable fax in your All-in-one Printer.
Disconnect the telephone line from your All-in-one Printer.

Note that these suggestions may only prevent remote execution of the fax exploit, it is possible a similar exploit exists with the document scanner so it is best to contact the manufacturer of your printer if it is not an HP Model.

More information:

Checkpoint Research – Fax All-in-one details by CheckPoint Research
Video – Video showing the Fax exploit in action
HP – HP All-in-one Printer Security Information

Leave a reply