A 16-year-old security vulnerability affects Millions of HP, Samsung, Xerox Printers Driver allows attackers to gain admin rights on systems using the vulnerable driver software.
According to the researchers, some HP, Xerox, and Samsung printer models contained vulnerable driver software, sold worldwide since 2005.
Tracked as CVE-2021-3438 (CVSS score: 8.8), the issue concerns a buffer overflow in a print driver installer package named “SSPORT.SYS” that can enable remote privilege and arbitrary code execution. Hundreds of millions of printers have been released worldwide to date with the vulnerable driver in question.
As the researchers discovered, the buggy driver automatically gets installed with the printer software and will be loaded by Windows after each system reboot.
“This makes the driver a perfect candidate to target since it will always be loaded on the machine even if there is no printer connected,” the researchers say.
However, there is no evidence that the flaw was abused in real-world attacks.
Successful exploitation requires local user access which means that threat actors will need to first get a foothold on the targeted devices.
The vulnerable function in the driver is the acceptance of data without size parameter validation, allowing attackers to overrun the driver’s buffer theoretically.
The issue was reported to HP by threat intelligence researchers from SentinelLabs on February 18, 2021, following which remedies have been published for the affected printers as of May 19, 2021.
Local attackers could escalate their privileges to a SYSTEM account and run code in kernel mode to perform actions including tampering with a target machine. However, SentinelLabs says that the time was not invested in finding a way to weaponize it alone, and a successful exploit may need a chain of vulnerabilities.
Once this is achieved, they can abuse the security bug to escalate privileges in low complexity attacks without requiring user interaction.
Update ASAP Your Drivers
HP said impacted models include the HP LaserJet, Samsung CLP, Samsung MultiXpress, and Samsung Xpress series in a security advisory.
“Some Windows machines may already have this driver without even running a dedicated installation file, since this driver comes with Microsoft Windows via Windows Update,” the researchers added.
This is not the first time security flaws have been discovered in old software drivers. Earlier this May, SentinelOne revealed details about multiple critical privilege escalation vulnerabilities in Dell’s firmware update driver named “dbutil_2_3.sys” that went undisclosed for more than 12 years.