Alexander Bolshev and Timo Hirvonen, Security Consultants
2 exploitable bugs were found on an HP LaserJet Enterprise MFP M725, in the unit’s communications board and font parser, specifically:
These can both be used maliciously to gain code execution rights. While the communications board issue requires physical access, the latter can be accomplished remotely.
A successful attack would allow an attacker to achieve various objectives, including:
Despite our research being limited to the one specific model, HP’s own security advisories advise that the vulnerabilities affect over 150 products:
After receiving our report, the vendor has now resolved in the latest versions of the firmware.
(While it is possible that devices from other vendors have similar issues, we have not performed research into other MFPs.)
We've released full advisory on the vulnerabilities, including mitigations, and invite organizations to access the advisory and read the background resources listed below.
For readers interested in the original research, Printing Shellz covers the background to the project, Alex and Timo's approach end-to-end in detail, and the wider security conclusions that can be drawn from the findings.