Printers that use Hewlett-Packard print server software are vulnerable to attacks that can bypass built-in biometric defenses, recover previously printed documents and crash all vulnerable machines attached to a network.
That warning comes from viaForensics researcher Sebastian Guerrero, who said he identified the security problems in HP’s JetDirect software while testing printers in his spare time.
JetDirect software works in internal, external and embedded print servers sold by numerous printer manufacturers — everyone from Canon and Lexmark to Samsung and Xerox. The software handles any printing request made via a network, in part by adding additional information, which the printer then parses. This additional information is in the form of tags such as UEL (universal exit language), which notes the beginning and end of data streams; PJL (printer job language), to tell the printer what to do; and PCL (printer control language), which formats pages.
But attackers can also use these HP printer language command tags to evade security controls built into the devices — such as fingerprint or smart card checks — as well as to knock the machines offline, reprint previously printed documents or even brick the device.
“By fuzzing tags that are parsed and used by interpreters of PCL/PJL, an attacker could trigger a persistent denial of service affecting a large percentage of models and manufacturers,” said Guerrero in a security analysis that outlines the flaws he discovered in JetDirect.
The tags also give attackers a way to recover documents that might otherwise store in encrypted form and relatively inaccessible.
“All of the heavily encrypted documents a company has on its computers are automatically unprotected once sent to the print queue and are recorded and stored in the history,” said Guerrero. Furthermore, he said, an attacker can reprint these documents.
The tags can also work to knock network-connected printers offline. “If you modify any of these parameters by inserting an unexpected character, depending on how it is implemented by the parser and interpreter for the specific printer model, you may cause a denial of service, knocking printers offline and forcing them to be reset manually,” he said.
An HP spokeswoman didn’t immediately comment.
Guerrero declined to detail specific printer makes and models that might suffer from these vulnerabilities, although he said he confirmed the vulnerability on HP DesignJet printers, as well as some types of Ricoh printers. But he noted any device that uses JetDirect is at least vulnerable to having its authentication bypassed by an attacker, using the security holes he identified.