CVE-2018-5924
published 2018-08-13CVE-2018-5924: A security vulnerability has been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack buffer…
PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.23%
95.7th percentile
A security vulnerability has been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack buffer overflow, which could allow remote code execution.
Affected
271 ranges· showing 25
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| hp | 1dt61a_firmware | — | — |
| hp | 1jl02a_firmware | — | — |
| hp | 1jl02b_firmware | — | — |
| hp | 1sh08_firmware | — | — |
| hp | 2nd31a_firmware | — | — |
| hp | 3aw44a_firmware | — | — |
| hp | 3aw51a_firmware | — | — |
| hp | 3yz74a_firmware | — | — |
| hp | 4sc29a_firmware | — | — |
| hp | 4uj28b_firmware | — | — |
| hp | a7f64a_firmware | — | — |
| hp | a7f65a_firmware | — | — |
| hp | a7f66a_firmware | — | — |
| hp | a9j40a_firmware | — | — |
| hp | a9j41_firmware | — | — |
| hp | a9t80a_firmware | — | — |
| hp | a9t80b_firmware | — | — |
| hp | a9t89a_firmware | — | — |
| hp | a9u19a_firmware | — | — |
| hp | a9u23_firmware | — | — |
| hp | a9u28b_firmware | — | — |
| hp | b4l03_firmware | — | — |
| hp | b4l08a_firmware | — | — |
| hp | b9s56a_firmware | — | — |
| hp | b9s57c_firmware | — | — |
Detection & IOCsextracted from sources · hover to see the quote
- →Post-exploitation involves EternalBlue (SMBv1 RCE) and DoublePulsar (kernel-level implant) being launched from the compromised printer against LAN hosts; detect SMBv1 exploitation traffic originating from printer IP addresses. ↗
- →The Devil's Ivy (CVE-2017-9765) gSOAP vulnerability is exploitable by sending an XML payload larger than 2 GB to TCP port 53048 on the printer; alert on unusually large XML POST requests to this port. ↗
- →Use Tenable Plugin 111666 (hp_printers_HPSBHF03589.nasl) to detect vulnerable HP printer firmware versions on the network. ↗
- →Use Tenable Plugin 111667 (hp_www_detect.nbin) to fingerprint HP embedded web servers on the network as a precursor to identifying affected devices. ↗
- ·No ASLR is deployed on the affected firmware, meaning ROP/shellcode exploits are highly reliable once a memory corruption primitive is achieved; standard ASLR-based mitigations do not apply. ↗
- ·The firmware runs all tasks in Kernel-Mode under a flat memory model with no process isolation, meaning code execution from any task yields full device control. ↗
- ·The ARM CPU's separate D-Cache and I-Cache means injected shellcode must flush both caches before execution; exploit chains will include a cache-flush ROP stage before shellcode runs. ↗
CVSS provenance
nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
No detection rules found.
No public exploits indexed.
Tenable
Faxsploit Allows Remote Code Execution Through HP All-in-One Printers
blogs_tenable·2018-08-14
Faxsploit Allows Remote Code Execution Through HP All-in-One Printers
## Cloud Exposure
Tenable Cloud Security (CNAPP) Request a demo
Tenable Cloud Vulnerability Management Request a demo
Tenable CIEM Request a demo
Secure your cloud
## Vulnerability Exposure
Tenable Vulnerability Management Try for free
Tenable Security Center Request a demo
Tenable Web App Scanning Try for free
Tenable Patch Management Request a demo
Tenable Enclave Security Request a demo
Tenable Attack Surface Management Request a demo
Tenable Nessus Try for free
## AI Exposure
Tenable AI Exposure Request a demo
## OT/IoT Exposure
Tenable OT Security Request a demo
## Identity Exposure
Tenable Identity Exposure Request a demo
## Business needs
Active Directory
AI Security Posture Management (AI-SPM)
AWS security
Azure security
Cloud Security Posture Man
Tenable
Faxsploit Allows Remote Code Execution Through HP All-in-One Printers
blogs_tenable·2018-08-14·CVSS 9.8
[CRITICAL] Faxsploit Allows Remote Code Execution Through HP All-in-One Printers
Blog / Cyber Exposure Alerts
Subscribe
# Faxsploit Allows Remote Code Execution Through HP All-in-One Printers
Ryan Seguin
August 14, 2018
4 Min Read
A new exploit demonstrated by Checkpoint Research at DEF CON last week leverages vulnerabilities in all-in-one printers, potentially allowing attackers to take control of other devices on the network.
## Background
Checkpoint Research published a proof of concept (PoC) for exploiting two remote code execution vulnerabilities on HP All-in-One printers solely through the printer’s fax line. These critical vulnerabilities score CVSS v3 as 9.8 and include CVE-2018-5924 and CVE-2018-5925.
Checkpoint was able to embed malicious code disguised as a JPEG image, which then exploited buffer overflows in the processing code to gain full access t
Checkpoint
Faxploit: Sending Fax Back to the Dark Ages
blogs_checkpoint·2018-08-12
CVE-2018-5925 Faxploit: Sending Fax Back to the Dark Ages
Latest Publications
CPR Podcast Channel
AI Research
Web 3.0 Security
Intelligence Reports
ThreatCloud AI
Threat Intelligence & Research
Zero Day Protection
Sandblast File Analysis
About Us
SUBSCRIBE
AI Research 2
Android Malware 23
Artificial Intelligence 4
ChatGPT 3
Check Point Research Publications 455
Cloud Security 1
CPRadio 44
Crypto 2
Data & Threat Intelligence 2
Data Analysis 0
Demos 22
Global Cyber Attack Reports 408
How To Guides 13
Ransomware 5
Russo-Ukrainian War 1
Security Report 1
Threat and data analysis 0
Threat Research 174
Web 3.0 Security 11
Wipers 0
## Faxploit: Sending Fax Back to the Dark Ages
Research By: Eyal Itkin, Yannay Livneh and Yaniv Balmas
Fax, the brilliant technology that lifted mankind out the dark ages of mail delivery wh
http://www.securityfocus.com/bid/105010http://www.securitytracker.com/id/1041415https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/https://support.hp.com/us-en/document/c06097712http://www.securityfocus.com/bid/105010http://www.securitytracker.com/id/1041415https://research.checkpoint.com/sending-fax-back-to-the-dark-ages/https://support.hp.com/us-en/document/c06097712
2018-08-13
Published