cbcvebase.
CVE-2018-5924
published 2018-08-13

CVE-2018-5924: A security vulnerability has been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack buffer…

PriorityP263critical9.8CVSS 3.0
AVNACLPRNUINSUCHIHAH
EPSS
12.23%
95.7th percentile
A security vulnerability has been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack buffer overflow, which could allow remote code execution.

Affected

271 ranges· showing 25
VendorProductVersion rangeFixed in
hp1dt61a_firmware
hp1jl02a_firmware
hp1jl02b_firmware
hp1sh08_firmware
hp2nd31a_firmware
hp3aw44a_firmware
hp3aw51a_firmware
hp3yz74a_firmware
hp4sc29a_firmware
hp4uj28b_firmware
hpa7f64a_firmware
hpa7f65a_firmware
hpa7f66a_firmware
hpa9j40a_firmware
hpa9j41_firmware
hpa9t80a_firmware
hpa9t80b_firmware
hpa9t89a_firmware
hpa9u19a_firmware
hpa9u23_firmware
hpa9u28b_firmware
hpb4l03_firmware
hpb4l08a_firmware
hpb9s56a_firmware
hpb9s57c_firmware

Detection & IOCsextracted from sources · hover to see the quote

port53048
  • Post-exploitation involves EternalBlue (SMBv1 RCE) and DoublePulsar (kernel-level implant) being launched from the compromised printer against LAN hosts; detect SMBv1 exploitation traffic originating from printer IP addresses.
  • The Devil's Ivy (CVE-2017-9765) gSOAP vulnerability is exploitable by sending an XML payload larger than 2 GB to TCP port 53048 on the printer; alert on unusually large XML POST requests to this port.
  • Use Tenable Plugin 111666 (hp_printers_HPSBHF03589.nasl) to detect vulnerable HP printer firmware versions on the network.
  • Use Tenable Plugin 111667 (hp_www_detect.nbin) to fingerprint HP embedded web servers on the network as a precursor to identifying affected devices.
  • ·No ASLR is deployed on the affected firmware, meaning ROP/shellcode exploits are highly reliable once a memory corruption primitive is achieved; standard ASLR-based mitigations do not apply.
  • ·The firmware runs all tasks in Kernel-Mode under a flat memory model with no process isolation, meaning code execution from any task yields full device control.
  • ·The ARM CPU's separate D-Cache and I-Cache means injected shellcode must flush both caches before execution; exploit chains will include a cache-flush ROP stage before shellcode runs.

CVSS provenance

nvdv3.09.8CRITICALCVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
Stop checking back — get the weekly exploitation signal.

Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.