Millions of Windows machines affected by ancient printer vulnerability

CISA list of 95 new known exploited vulnerabilities raises questions

A very serious security flaw in immensely popular printer drivers has been disclosed and it could affect many millions of Windows systems. The printer driver was issued by HP, but it’s also in use by Samsung and Xerox. All the affected printers are laser printers.

The most surprising about this find is probably that the vulnerability apparently has existed since 2005 and was only found 16 years later.

Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The vulnerability has been listed as CVE-2021-3438 and it is a potential buffer overflow in the software drivers that can be abused to achieve an escalation of privilege.

Vulnerabilities also often receive a severity rating on the CVSS scale. This vulnerability received an 8.8 out of 10 rating on the CVSS scale, which puts it in the high-severity range.

What is a buffer overflow?

A buffer overflow is a type of software vulnerability that exists when an area of memory within a software application reaches an address boundary and writes into an adjacent memory region. Buffer overflows can be used to overwrite useful data, cause network crashes, or replace memory with arbitrary code that the instruction pointer later executes.

In this case the buffer overflow can be used to get administrator permissions on the system as a normal user. So any attacker that wants to use this vulnerability will first need some kind of access to the system. But once they have access they can use the vulnerability to get permissions to install programs, view, change, or delete data, and encrypt files. The vulnerable driver is loaded when the systems boots, so the printer doesn’t even have to be connected to the system anymore for this vulnerability to work. Even worse, the user may not even be aware of the presence of the vulnerable driver.

Discovery

The vulnerability was discovered more or less by coincidence by researchers at SentinelLabs when they were configuring a brand new HP printer. In their post about the vulnerability they state:

“Many of these drivers come preloaded on devices or get silently dropped when installing some innocuous legitimate software bundle and their presence is entirely unknown to the users. These OEM drivers are often decades old and coded without concern for their potential impact on the overall integrity of those systems.”

After the discovery on Feb 18, 2021  the researchers engaged in an “open-ended process of vulnerability discovery.” Which means they spoke to vendors and manufacturers to makes sure the vulnerability had a patch before it could be exploited in the wild. So far as we know, this vulnerability has not been seen abused in the wild yet. But after disclosure and publication of the patches, which will no doubt be reverse engineered, this can happen anytime soon.

Mitigation

HP offers an update to patch the vulnerability. The immense list of affected products can be found at the HP site about the vulnerability. To obtain the update you can go to the HP Software site and search for your printer model, even if that is a Samsung model.

If there is an update for your printer you will see something similar to this after clicking on the Software, Drivers and Firmware button.

From there your can use the Download button to obtain the update and install it. If you are looking for the update because you have an affected Xerox laser printer you can visit the Xerox Support portal where it is available for download.

So far we have found three ssport.sys files that are vulnerable. If you are unsure whether you have such a file on your system check the ssport.sys file in your %windir%system32drivers directory. If it matches one of these SHA-256 hashes:

7cc9ba2df7b9ea6bb17ee342898edd7f54703b93b6ded6a819e83a7ee9f938b4

d3c763fb3f8ca7059a1d124e46014c9b578acef2fdc017f751642e2c66b7b8cc

789d98a3ad0c51e6d6ba6d907b4dbf96040ef244d71b8d53c95bb44ebc8f684b

it is a driver that pre-dates the date of the initial report, so it is very likely vulnerable and needs to be replaced.

Stay safe, everyone!