This fall, HP Inc. published an article describing a buffer overflow vulnerability in their printer software which would allow an attacker to obtain persistent remote code execution on the printer. Buffer overflow vulnerabilities are common, but what makes this one noteworthy is that it can be exploited remotely by a malicious third-party printer cartridge.
In the printer ecosystem, there is a large third-party marketplace where supplies such as toner and ink cartridges are sold at a lower cost than their official HP-branded counterparts. These third-party supplies contain chips that are designed to be updatable and reprogrammable to ensure that if the OEM updates the printer, the cartridge can remain compatible and functional for the end user. However, this flexibility can be taken advantage of by an attacker if best security practices are not employed to prevent a malicious actor from installing malware on the cartridge.
A malicious cartridge or supply can then attack the printer over the communication interface to gain control over the printer itself. In the case of the buffer overflow vulnerability discovered in HP printers (CVE-2022-28722), the vulnerability can be exploited over the serial communication interface between the cartridge and printer.
A possible scenario for such an attack that does not require the attacker to have physical access to the printer itself is that an office is shipped free cartridges as part of a promotion that has been injected with malware by the attacker. Once these malicious cartridges are installed, the buffer overflow vulnerability is exploited to gain control over the printer itself. Printers are often privy to sensitive data and reside inside corporate networks, making them attractive targets for a bad actor looking to exfiltrate confidential data or perform further attacks.
HP discovered this vulnerability through their bug bounty program, which began looking at the attack surface exposed by potentially malicious third-party cartridges in 2020. Riscure routinely looks at physical interfaces between components with different trust levels during security evaluations of embedded devices. Common examples are attacking a host through an exposed UART or debug interface, modifying external flash memory, and intercepting and modifying serial communication over I2C or SPI buses exposed at the board level.
Typically when these attack vectors are considered it is assumed that physical access to the target is required, making these a lower priority for an examination compared to the attack surface provided by the network interface. The unique ecosystem of third-party printer supplies requires these priorities to be re-examined by printer OEMs. We recommend that the code handling the communication between the printer and supplies be reviewed for vulnerabilities in addition to performing testing on the device itself under the assumption that any input from the supplies is untrusted. OEMs should also evaluate the security of their own supplies against malicious modification.
HP has patched the buffer overflow vulnerability as part of a firmware update and encourages customers to keep their systems up to date. However, the article mentions that for customers relying on third-party supplies there is often the opposing incentive to not update the printer for fear that the supplies will no longer function.