vulnerability

HP has published security advisories for three critical-severity vulnerabilities affecting hundreds of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models.

The first security bulletin warns about about a buffer overflow flaw that could lead to remote code execution on the affected machine. Tracked as CVE-2022-3942, the security issue was reported by Trend Micro’s Zero Day Initiative team.

Although it comes with a severity score of 8.4 (high), as calculated with the Common Vulnerability Scoring System (CVSS), HP lists the bug’s severity as critical.

HP has released firmware security updates for most of the affected products. For the models without a patch, the company provides mitigation instructions that revolve mainly around disabling LLMNR (Link-Local Multicast Name Resolution) in network settings.

KiK team recommends regular vulnerability assessments and penetration tests to ensure your cybersecurity and data protection.

Steps for disabling unused network protocols using the embedded web server (EWS) for LaserJet Pro.

A second security bulletin from HP warns about two critical and one high-severity vulnerability that could be exploited for information disclosure, remote code execution, and denial of service.

The three vulnerabilities are tracked as CVE-2022-24291 (high severity score: 7.5), CVE-2022-24292 (critical severity score: 9.8), and CVE-2022-24293 (critical severity score: 9.8). Credit for reporting them also go to the Zero Day Initiative team.

In this case too, the official recommendation is to update your printer firmware to the designated versions, but this isn’t available for all impacted models.

There’s no mitigation advice to remediate the problem for one of the listed LaserJet Pro models, but it has been marked as pending, so the security updates for that one should become available soon.

Admins of all other models may visit HP’s official software and driver download portal, navigate to select their device model, and install the latest available firmware version.

While not many details have been published about these vulnerabilities, the repercussions of remote code execution and information disclosure are generally far-reaching and potentially dire.

As such, it is recommended to apply the security updates as soon as possible, place the devices behind a network firewall, and impose remote access restriction policies.

Researchers have disclosed a new technique that could be used to circumvent existing hardware mitigations in modern processors from Intel, AMD, and Arm, and stage speculative execution attacks such as Spectre to leak sensitive information from host memory.

Attacks like Spectre are designed to break the isolation between different applications by taking advantage of an optimization technique called speculative execution in CPU hardware implementations to trick programs into accessing arbitrary locations in memory and thus leak their secrets.

While chipmakers have incorporated both software and hardware defenses, including Retpoline as well as safeguards like Enhanced Indirect Branch Restricted Speculation (eIBRS) and Arm CSV2, the latest method demonstrated by VUSec researchers aims to get around all these protections.

Called Branch History Injection (BHI or Spectre-BHB), it’s a new variant of Spectre-V2 attacks (tracked as CVE-2017-5715) that bypasses both eIBRS and CSV2, with the researchers describing it as a “neat end-to-end exploit” leaking arbitrary kernel memory on modern Intel CPUs.

“The hardware mitigations do prevent the unprivileged attacker from injecting predictor entries for the kernel,” the researchers explained.

“However, the predictor relies on a global history to select the target entries to speculatively execute. And the attacker can poison this history from userland to force the kernel to mispredict to more ‘interesting’ kernel targets (i.e., gadgets) that leak data,” the Systems and Network Security Group at Vrije Universiteit Amsterdam added.

Put differently, a piece of malicious code can use the shared branch history, which is stored in the CPU Branch History Buffer (BHB), to influence mispredicted branches within the victim’s hardware context, resulting in speculative execution that can then be used to infer information that should be inaccessible otherwise.

Spectre-BHB renders vulnerable all Intel and Arm processors that were previously affected by Spectre-V2 along with a number of chipsets from AMD, prompting the three companies to release software updates to remediate the issue.

Intel is also recommending customers to disable Linux’s unprivileged extended Berkeley Packet Filters (eBPF), enable both eIBRS and Supervisor-Mode Execution Prevention (SMEP), and add “LFENCE to specific identified gadgets that are found to be exploitable.”

“The [Intel eIBRS and Arm CSV2] mitigations work as intended, but the residual attack surface is much more significant than vendors originally assumed,” the researchers said.

“Nevertheless, finding exploitable gadgets is harder than before since the attacker can’t directly inject predictor targets across privilege boundaries. That is, the kernel won’t speculatively jump to arbitrary attacker-provided targets, but will only speculatively execute valid code snippets it already executed in the past.”