Technical Advisory: Multiple Vulnerabilities in HP Printers
Multiple vulnerabilities, ranging Cross-Site Scripting to buffer overflows, were found in several HP printers:
Multiple Buffer Overflows in IPP Service (CVE-2019-6327)
Buffer Overflow in Web Server (CVE-2019-6326)
Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324)
Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)
Technical Advisories:
Multiple Buffer Overflows in IPP Service (CVE-2019-6327)
Vendor: HP Vendor URL: https://support.hp.com/us-en/document/c06356322 Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-6327 Risk: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Summary
Some HP printers were affected by multiple overflow vulnerabilities in the IPP service. This would allow an attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests to the IPP service will cause a vulnerable device to crash. Multiple buffer overflow vulnerabilities have been identified in different parameter names and values of the IPP service of HP devices that allow an attacker to crash the device and potentially execute arbitrary code.
CVSSv3 Base Score: 9.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 3.9
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| Printer Name | Model Number | Firmware Version |
| HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES | T6B80A, T6B83A, T6B81A, T6B82A | <20190419 |
| HP LASERJET PRO MFP M28-M31 PRINTER SERIES | W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A | <20190426 |
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process. 2019-05-30: HP Security Bulletin released 2019-06-26: NCC Group Advisory released
References
HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322
CVE-2019-6327
https://nvd.nist.gov/vuln/detail/CVE-2019-6327
Buffer Overflow in Web Server
(CVE-2019-6326)
Vendor: HP Vendor URL: https://support.hp.com/us-en/document/c06356322 Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-6326 Risk: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Summary
Some HP printers were affected by a buffer overflow vulnerability in the web application that would allow an attacker to cause a Denial of Service (DoS) and potentially execute arbitrary code on the device.
Impact
Successful exploitation of this vulnerability can lead to crash the device, and potentially to remote code execution on the affected device.
Details
Specially crafted requests with long parameter values will cause a vulnerable device to crash. A buffer overflow vulnerability has been identified in a parameter value of HP devices that allow an attacker to crash the device and potentially execute arbitrary code.
CVSSv3 Base Score: 7.2 (CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 1.2
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| Printer Name | Model Number | Firmware Version |
| HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES | T6B80A, T6B83A, T6B81A, T6B82A | <20190419 |
| HP LASERJET PRO MFP M28-M31 PRINTER SERIES | W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A | <20190426 |
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process. 2019-05-30: HP Security Bulletin released 2019-06-26: NCC Group Advisory released
References
HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322
CVE-2019-6326
https://nvd.nist.gov/vuln/detail/CVE-2019-6326
Multiple Cross-Site Scripting Vulnerabilities (CVE-2019-6323, CVE-2019-6324)
Vendor: HP Vendor URL: https://support.hp.com/us-en/document/c06356322 Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-6323, CVE-2019-6324 Risk: CVE-2019-6323: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N) CVE-2019-6324: 4.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Summary
Multiple Cross-Site Scripting vulnerabilities, including Stored Cross-Site Scripting issues, were found in the HP Management Web Application.
Impact
Successful exploitation of this vulnerability can lead to session hijacking of the administrator in the web application or the execution of unwanted actions.
Details
Several functionalities related with the WiFi configuration were vulnerable to Cross-Site Scripting attacks. This type of vulnerability occurs when untrusted data is included in the resulting page without being correctly HTML-encoded, and client-side executable code may be injected into the dynamic page.
CVE-2019-6323:
CVSSv3 Base Score: 6.1 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 2.8
CVE-2019-6324:
CVSSv3 Base Score: 4.8 (CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:C/C:L/I:L/A:N)
Impact Subscore: 2.7
Exploitability Subscore: 1.7
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| Printer Name | Model Number | Firmware Version |
| HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES | T6B80A, T6B83A, T6B81A, T6B82A | <20190419 |
| HP LASERJET PRO MFP M28-M31 PRINTER SERIES | W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A | <20190426 |
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process. 2019-05-30: HP Security Bulletin released 2019-06-26: NCC Group Advisory released
References
HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322
CVE-2019-6323
https://nvd.nist.gov/vuln/detail/CVE-2019-6323
CVE-2019-6324
https://nvd.nist.gov/vuln/detail/CVE-2019-6324
Cross-Site Request Forgery Countermeasures Bypass (CVE-2019-6325)
Vendor: HP Vendor URL: https://support.hp.com/us-en/document/c06356322 Versions affected: See Devices Affected section Devices affected: See Devices Affected section Authors: Daniel Romero – daniel.romero[at]nccgroup[dot]com Mario Rivas – mario.rivas[at]nccgroup[dot]com Advisory URL / CVE Identifier: CVE-2019-6325 Risk: 8.8 (CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H)
Summary
The Cross-Site Request Forgery countermeasures of the HP management web application was not properly implemented, and it was possible to bypass it. As a result, CSRF attacks could be performed within any domain that contained the hostname of the device.
Impact
Successful exploitation of this vulnerability can lead to an administrator unwittingly performing actions within the application such as adding accounts to the system or changing settings.
Details
The mechanism to avoid Cross-Site Request Forgery attacks of the HP management web application did not properly check the Referer and Origin headers. As an example, if the hostname of a printer is “hp01.local”, it would accept Origin and Referer headers coming from “hp01.local.nccgroup.com”.
CVSSv3 Base Score: 8.8 (CVSS:3.0/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:H)
Impact Subscore: 5.9
Exploitability Subscore: 2.8
Proof of Concept
Proof of Concepts will be disclosed once enough time has been allowed for the vendor to deploy the corresponding security patches.
Devices Affected
The table below shows the devices and firmware versions affected:
| Printer Name | Model Number | Firmware Version |
| HP COLOR LASERJET PRO M280-M281 MULTIFUNCTION PRINTER SERIES | T6B80A, T6B83A, T6B81A, T6B82A | <20190419 |
| HP LASERJET PRO MFP M28-M31 PRINTER SERIES | W2G54A, W2G55A, Y5S53A, Y5S55A, Y5S50A, Y5S54A | <20190426 |
Vendor Communication
2019-02-19: Responsible Vulnerability Disclosure process initialized Between February and June: Permanent email contact between NCC Group and HP in order to follow up the process. 2019-05-30: HP Security Bulletin released 2019-06-26: NCC Group Advisory released
References
HP Security Bulletin:
https://support.hp.com/us-en/document/c06356322
CVE-2019-6325
https://nvd.nist.gov/vuln/detail/CVE-2019-6325
About NCC Group
NCC Group is a global expert in cybersecurity and risk mitigation, working with businesses to protect their brand, value and reputation against the ever-evolving threat landscape. With our knowledge, experience and global footprint, we are best placed to help businesses identify, assess, mitigate respond to the risks they face. We are passionate about making the Internet safer and revolutionizing the way in which organizations think about cybersecurity.