An anonymous reader quotes a report from Threatpost: Researchers have published technical details of a high-gravity privilege escalation flaw in HP printer drivers (also used by Samsung and Xerox), which impacts hundreds of millions of Windows machines. If exploited, cyber attackers could bypass security products; install programs; view, modify, encrypt or delete data; or create new accounts with more extended user rights. The bug (CVE-2021-3438) has been lurking in systems for 16 years, SentinelOne researchers said, but was only discovered this year. It is rated 8.8 out of 10 on the CVSS scale, making it a high severity.
According to the researchers, the vulnerability exists in a function inside the driver that accepts data sent from user mode through input / output control (IOCTL); it does so without validating the size parameter. As the name suggests, IOCTL is a system call for device-specific I / O operations. “This function copies a string from user input using ‘strncpy’ with a user-controlled size parameter,” according to SentinelOne analysis released Tuesday. “Essentially, it allows attackers to override the buffer used by the pilot.” Thus, unprivileged users can elevate themselves into a SYSTEM account, allowing them to execute code in kernel mode, since the vulnerable driver is available locally to anyone, according to the firm.
The printer-based attack vector is perfect for cybercriminals, according to SentinelOne, because printer drivers are essentially ubiquitous on Windows machines and are automatically loaded on every boot. “So, in effect, this driver is installed and loaded without even asking or notifying the user,” the researchers explained. “Whether you configure the printer to work wirelessly or through a USB cable, that driver is loaded. In addition, it will be loaded by Windows on each startup. This makes the driver an ideal candidate to target since it will still be loaded on the device even if there is no printer connected. ”Affected models and associated fixes can be found here and here.
“While HP is releasing a patch (a fixed driver), it should be noted that the certificate has not yet been revoked at the time of writing,” according to SentinelOne. “This is not considered best practice, as the vulnerable driver can still be used in BYOVD (bring your own vulnerable driver) attacks. Some Windows machines may already have the vulnerable driver without even running a dedicated installer file, as it is bundled with Microsoft Windows through Windows Update.
16-year-old HP printer driver bug affects millions of Windows machines
Source link 16-year-old HP printer driver bug affects millions of Windows machines