Attacker Value
Moderate
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
2

CVE-2021-3438

Disclosure Date: May 20, 2021
CVE-2021-3438 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated

Description

A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.

Add Assessment

4
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Common in enterpriseVulnerable in default configurationDifficult to weaponize
Technical Analysis

Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070 copies bytes from the user’s input buffer via the strncpy function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data segment, is the only reference in all of the section and it is only used in the highlighted strncpy operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.

Thx to @wvu-r7 for the peer review.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Gives privileged accessVulnerable in default configuration
Technical Analysis

(Edited for clarity only.)

Update: Paolo Stagno (VoidSec) has analyzed this vulnerability and posited that it is not exploitable beyond DoS. I agree with their analysis and have updated my ratings as a result. My pre-analysis assessment is preserved below. More details to come! Please see VoidSec’s assessment. :)

Local privilege escalation in an ancient yet widely distributed printer driver for Windows. Mis-bounded strncpy() buffer overflow in kernel space, so exploitation requires skill and precision to pull off, though the vulnerability itself is incredibly straightforward. Could be a reliable root for years to come. Patch this normally and don’t freak out.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

HP and Xerox released security updates for an exploitable kernel drive vulnerability (CVE-2021-3438) that affects the buffer overflow in the SPPORT.SYS driver for over 380 various HP and Samsung printers and approximately a dozen different Xerox printers. Successful exploitation could allow unauthorized actors to gain SYSTEM level permissions and execute code in kernel mode
https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Certain HP LaserJet products and Samsung product printers, see Security Bulletin Various, see Security Bulletin
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

  • hp,
  • samsung

Products

  • clp-360 ss062a -,
  • clp-365 ss066a -,
  • clp-365 ss067a -,
  • clp-365 sw139a -,
  • clp-366 ss068a -,
  • clp-366 sv600a -,
  • clp-368 sv601a -,
  • clp-560 sv611a -,
  • clp-560 sv612a -,
  • clp-680 ss075a -,
  • clp-680 ss076a -,
  • clp-775 ss078a -,
  • clp-775 ss079a -,
  • clx-3300 ss088a -,
  • clx-3300 sv677a -,
  • clx-3305 ss093a -,
  • clx-3305 ss094a -,
  • clx-3305 ss095a -,
  • clx-3305 ss096a -,
  • clx-6260 ss105a -,
  • clx-6260 ss106a -,
  • clx-6260 ss107a -,
  • clx-6260 ss108a -,
  • clx-6260 sw177a -,
  • color laser 150 4zb94a -,
  • color laser 150 4zb95a -,
  • color laser mfp 170 4zb96a -,
  • color laser mfp 170 4zb97a -,
  • color laser mfp 170 6hu08a -,
  • color laser mfp 170 6hu09a -,
  • laser 100 209u7a -,
  • laser 100 4zb79a -,
  • laser 100 4zb80a -,
  • laser 100 4zb81a -,
  • laser 100 5ue14a -,
  • laser 408 7uq75a -,
  • laser mfp 130 4zb82a -,
  • laser mfp 130 4zb83a -,
  • laser mfp 130 4zb84a -,
  • laser mfp 130 4zb85a -,
  • laser mfp 130 4zb86a -,
  • laser mfp 130 4zb87a -,
  • laser mfp 130 4zb88a -,
  • laser mfp 130 4zb89a -,
  • laser mfp 130 4zb90a -,
  • laser mfp 130 4zb91a -,
  • laser mfp 130 4zb92a -,
  • laser mfp 130 4zb93a -,
  • laser mfp 130 5ue15a -,
  • laser mfp 130 6hu10a -,
  • laser mfp 130 6hu11a -,
  • laser mfp 130 6hu12a -,
  • laser mfp 130 9vv52a -,
  • laser mfp 432 7uq76a -,
  • laserjet mfp m42523 7ab26a -,
  • laserjet mfp m42523 7zb25a -,
  • laserjet mfp m42523 7zb72a -,
  • laserjet mfp m42625 8af49a -,
  • laserjet mfp m42625 8af50a -,
  • laserjet mfp m42625 8af51a -,
  • laserjet mfp m42625 8af52a -,
  • laserjet mfp m433 1vr14a -,
  • laserjet mfp m436 2ky38a -,
  • laserjet mfp m436 w7u01a -,
  • laserjet mfp m436 w7u02a -,
  • laserjet mfp m437 7zb19a -,
  • laserjet mfp m437 7zb20a -,
  • laserjet mfp m437 7zb21a -,
  • laserjet mfp m438 8af43a -,
  • laserjet mfp m438 8af44a -,
  • laserjet mfp m438 8af45a -,
  • laserjet mfp m439 7zb22a -,
  • laserjet mfp m439 7zb23a -,
  • laserjet mfp m439 7zb24a -,
  • laserjet mfp m440 8af46a -,
  • laserjet mfp m440 8af47a -,
  • laserjet mfp m440 8af48a -,
  • laserjet mfp m442 8af71a -,
  • laserjet mfp m443 8af72a -,
  • laserjet mfp m72625-m72630 2zn49a -,
  • laserjet mfp m72625-m72630 2zn50a -,
  • ml-3750 ss138a -,
  • ml-4510 ss141a -,
  • ml-4512 ss142a -,
  • ml-5010 ss145a -,
  • ml-5012 ss146a -,
  • ml-5015 ss147a -,
  • ml-5017 ss148a -,
  • ml-5510 ss149a -,
  • ml-5510 ss150a -,
  • ml-5510 ss151a -,
  • ml-5510 ss152a -,
  • ml-5510 sv897a -,
  • ml-5510 sv898a -,
  • ml-6510 ss153a -,
  • ml-6510 ss154a -,
  • ml-6510 sv899c -,
  • ml-6510 sv900a -,
  • ml-6510 sv901a -,
  • multixpress clx-9251 ss005a -,
  • multixpress clx-9251 sv719a -,
  • multixpress clx-9301 ss007a -,
  • multixpress clx-9301 sw152a -,
  • multixpress clx-9301 sw179a -,
  • multixpress scx-8128 ss018a -,
  • multixpress scx-8128 ss019a -,
  • multixpress scx-8128 ss020a -,
  • multixpress scx-8128 sw172a -,
  • multixpress scx-8230 ss021a -,
  • multixpress scx-8240 ss022a -,
  • multixpress scx-8240 st717a -,
  • multixpress scx-8240 sw185a -,
  • multixpress sl-k2200 ss024a -,
  • multixpress sl-k2200 ss025a -,
  • multixpress sl-k3250 ss027e -,
  • multixpress sl-k3300 ss028a -,
  • multixpress sl-k4250 ss030a -,
  • multixpress sl-k4250 ss031a -,
  • multixpress sl-k4300 ss032a -,
  • multixpress sl-k4350 ss033a -,
  • multixpress sl-k7400 ss037a -,
  • multixpress sl-k7400 ss038a -,
  • multixpress sl-k7500 ss039a -,
  • multixpress sl-k7500 ss040a -,
  • multixpress sl-k7600 ss041a -,
  • multixpress sl-k7600 ss042a -,
  • multixpress sl-m4370 ss396a -,
  • multixpress sl-m4370 sw117a -,
  • multixpress sl-m5360 ss403a -,
  • multixpress sl-m5370 ss404a -,
  • multixpress sl-m5370 sw121a -,
  • multixpress sl-x3220nr ss043e -,
  • multixpress sl-x3280 ss044a -,
  • multixpress sl-x4220 ss047a -,
  • multixpress sl-x4250 ss048a -,
  • multixpress sl-x4300 ss049a -,
  • multixpress sl-x7400 ss053a -,
  • multixpress sl-x7400 ss054a -,
  • multixpress sl-x7500 ss055a -,
  • multixpress sl-x7500 ss056a -,
  • multixpress sl-x7600 ss058a -,
  • multixpress sl-x7600 ss059a -,
  • proxpress sl-c3010 ss201c -,
  • proxpress sl-c3010 ss209a -,
  • proxpress sl-c3010 ss210a -,
  • proxpress sl-c3010 ss210b -,
  • proxpress sl-c3010 ss210d -,
  • proxpress sl-c3010 ss210e -,
  • proxpress sl-c3010 ss210f -,
  • proxpress sl-c3010 ss210g -,
  • proxpress sl-c3010 ss210h -,
  • proxpress sl-c3010 ss210j -,
  • proxpress sl-c3010 ss210k -,
  • proxpress sl-c3010 ss210l -,
  • proxpress sl-c3010 ss210m -,
  • proxpress sl-c3010 ss210p -,
  • proxpress sl-c3060 s221b -,
  • proxpress sl-c3060 ss211a -,
  • proxpress sl-c3060 ss211c -,
  • proxpress sl-c3060 ss211d -,
  • proxpress sl-c3060 ss211e -,
  • proxpress sl-c3060 ss211f -,
  • proxpress sl-c3060 ss211g -,
  • proxpress sl-c3060 ss211h -,
  • proxpress sl-c3060 ss211j -,
  • proxpress sl-c3060 ss211k -,
  • proxpress sl-c3060 ss211l -,
  • proxpress sl-c3060 ss211m -,
  • proxpress sl-c3060 ss211n -,
  • proxpress sl-c3060 ss211p -,
  • proxpress sl-c3060 ss211q -,
  • proxpress sl-c3060 ss213a -,
  • proxpress sl-c3060 ss213b -,
  • proxpress sl-c3060 ss213c -,
  • proxpress sl-c3060 ss213d -,
  • proxpress sl-c3060 ss213e -,
  • proxpress sl-c3060 ss213f -,
  • proxpress sl-c3060 ss213g -,
  • proxpress sl-c3060 ss213h -,
  • proxpress sl-c4010 ss215a -,
  • proxpress sl-c4010 ss216a -,
  • proxpress sl-c4010 ss216b -,
  • proxpress sl-c4010 ss216c -,
  • proxpress sl-c4010 ss216d -,
  • proxpress sl-c4010 ss216e -,
  • proxpress sl-c4010 ss216f -,
  • proxpress sl-c4010 ss216g -,
  • proxpress sl-c4010 ss216h -,
  • proxpress sl-c4010 ss216j -,
  • proxpress sl-c4010 ss216k -,
  • proxpress sl-c4010 ss216l -,
  • proxpress sl-c4010 ss216m -,
  • proxpress sl-c4010 ss216n -,
  • proxpress sl-c4010 ss216p -,
  • proxpress sl-c4010 ss216q -,
  • proxpress sl-c4010 ss216s -,
  • proxpress sl-c4010 ss216t -,
  • proxpress sl-c4010 ss216u -,
  • proxpress sl-c4010 ss216v -,
  • proxpress sl-c4010 ss216z -,
  • proxpress sl-c4012 ss217a -,
  • proxpress sl-c4060 ss218a -,
  • proxpress sl-c4062 ss219a -,
  • proxpress sl-m3320nd ss365a -,
  • proxpress sl-m3321 ss366a -,
  • proxpress sl-m3325 ss367a -,
  • proxpress sl-m3370 ss378a -,
  • proxpress sl-m3375fd ss368f -,
  • proxpress sl-m3375fd ss369a -,
  • proxpress sl-m3375fd ss369b -,
  • proxpress sl-m3375fd ss369c -,
  • proxpress sl-m3375fd ss369d -,
  • proxpress sl-m3375fd ss369e -,
  • proxpress sl-m3820 ss371a -,
  • proxpress sl-m3820 ss371b -,
  • proxpress sl-m3820 ss371c -,
  • proxpress sl-m3820 ss371d -,
  • proxpress sl-m3820 ss372c -,
  • proxpress sl-m3820 ss373a -,
  • proxpress sl-m3820 ss373b -,
  • proxpress sl-m3820 ss373c -,
  • proxpress sl-m3820 ss373d -,
  • proxpress sl-m3820 ss373e -,
  • proxpress sl-m3820 ss373f -,
  • proxpress sl-m3820 ss373g -,
  • proxpress sl-m3820 ss373h -,
  • proxpress sl-m3820 ss373j -,
  • proxpress sl-m3820 ss373k -,
  • proxpress sl-m3820 ss373l -,
  • proxpress sl-m3820 ss373m -,
  • proxpress sl-m3820 ss373n -,
  • proxpress sl-m3820 ss373p -,
  • proxpress sl-m3820 ss373q -,
  • proxpress sl-m3820 ss373s -,
  • proxpress sl-m3820 ss373t -,
  • proxpress sl-m3820 ss373u -,
  • proxpress sl-m3820 ss373v -,
  • proxpress sl-m3820 ss373w -,
  • proxpress sl-m3820 ss373z -,
  • proxpress sl-m3820 ss375b -,
  • proxpress sl-m3825 ss374a -,
  • proxpress sl-m3825 ss375a -,
  • proxpress sl-m3825 ss376a -,
  • proxpress sl-m3870 ss377a -,
  • proxpress sl-m3870 ss378a -,
  • proxpress sl-m3875 ss379a -,
  • proxpress sl-m3875 ss380a -,
  • proxpress sl-m3875 ss381a -,
  • proxpress sl-m3875 ss382a -,
  • proxpress sl-m4020 4pt7b -,
  • proxpress sl-m4020 4pt87a -,
  • proxpress sl-m4020 ss383c -,
  • proxpress sl-m4020 ss383k -,
  • proxpress sl-m4020 ss383l -,
  • proxpress sl-m4020 ss383x -,
  • proxpress sl-m4020 ss383y -,
  • proxpress sl-m4024 ss385a -,
  • proxpress sl-m4025 ss386a -,
  • proxpress sl-m4025 ss387a -,
  • proxpress sl-m4030 ss388a -,
  • proxpress sl-m4070 ss389j -,
  • proxpress sl-m4070 ss390c -,
  • proxpress sl-m4072 ss391a -,
  • proxpress sl-m4075 ss392a -,
  • proxpress sl-m4075 ss393a -,
  • proxpress sl-m4075 ss394a -,
  • proxpress sl-m4080 ss395a -,
  • proxpress sl-m4530 ss397e -,
  • proxpress sl-m4530 ss397g -,
  • proxpress sl-m4530 ss398d -,
  • proxpress sl-m4560 ss399a -,
  • proxpress sl-m4560 ss400a -,
  • proxpress sl-m4580 ss401a -,
  • proxpress sl-m4580 ss402a -,
  • scx-3400 ss155a -,
  • scx-3400 ss156a -,
  • scx-3400 sv938a -,
  • scx-3401 ss157a -,
  • scx-3401 ss158a -,
  • scx-3401 sv393a -,
  • scx-3405 ss159a -,
  • scx-3405 ss160a -,
  • scx-3405 ss161a -,
  • scx-3405 ss162a -,
  • scx-3405 ss163a -,
  • scx-3405 sv943a -,
  • scx-3405 sw313a -,
  • scx-3405 sw314a -,
  • scx-3406 ss164a -,
  • scx-3406 sv298a -,
  • scx-3406 sv945a -,
  • scx-3406 sv946a -,
  • scx-3406 sv947a -,
  • scx-3406 sw127a -,
  • scx-4021 ss165a -,
  • scx-4521 ss167a -,
  • scx-4521 ss168a -,
  • scx-4521 sv530a -,
  • scx-4521 sv966a -,
  • scx-4521 sv967a -,
  • scx-4521 sv968a -,
  • scx-4521 sv969a -,
  • scx-4521 sw129a -,
  • scx-4650 sb983a -,
  • scx-4650 ss171a -,
  • scx-4650 ss172a -,
  • scx-4655 ss174a -,
  • scx-4655 sv988a -,
  • scx-4655 sv989a -,
  • scx-4833 ss180a -,
  • scx-4833 ss181a -,
  • scx-4833 sw019a -,
  • scx-4835 sw020a -,
  • scx-4835 sw021a -,
  • scx-5635 sw040a -,
  • scx-5635 sw041a -,
  • scx-5635 sw093a -,
  • scx-5637 ss182a -,
  • scx-5637 sw043a -,
  • scx-5639 st676a -,
  • scx-5737 ss183a -,
  • scx-5737 sw045a -,
  • scx-5737 sw046a -,
  • sf-760 ss195a -,
  • sf-760 ss196a -,
  • sf-760 ss197a -,
  • sf-760 ss198a -,
  • sf-760 ss199a -,
  • xpress sl-c1860 ss205a -,
  • xpress sl-c430 ss229a -,
  • xpress sl-c430 ss230a -,
  • xpress sl-c480 ss254a -,
  • xpress sl-c480 ss255a -,
  • xpress sl-c480 ss256a -,
  • xpress sl-c480 ss257a -,
  • xpress sl-m2020 ss271a -,
  • xpress sl-m2020 ss272a -,
  • xpress sl-m2070 ss293a -,
  • xpress sl-m2070 ss294a -,
  • xpress sl-m2070 ss295a -,
  • xpress sl-m2070 ss296a -,
  • xpress sl-m2070 ss297a -,
  • xpress sl-m2070 ss298a -,
  • xpress sl-m2620 ss322a -,
  • xpress sl-m2620 ss323a -,
  • xpress sl-m2620 ss324a -,
  • xpress sl-m2621 ss325a -,
  • xpress sl-m2625 ss326a -,
  • xpress sl-m2625 ss327a -,
  • xpress sl-m2626 ss328a -,
  • xpress sl-m2626 ss329a -,
  • xpress sl-m2670 ss330a -,
  • xpress sl-m2670 ss331a -,
  • xpress sl-m2671 ss332a -,
  • xpress sl-m2671 ss333a -,
  • xpress sl-m2675 ss334a -,
  • xpress sl-m2675 ss335a -,
  • xpress sl-m2675 ss336a -,
  • xpress sl-m2675 sw112a -,
  • xpress sl-m2676 ss337a -,
  • xpress sl-m2676 ss338a -,
  • xpress sl-m2676 sw113a -,
  • xpress sl-m2820 ss339a -,
  • xpress sl-m2820 ss340a -,
  • xpress sl-m2821 ss341a -,
  • xpress sl-m2825 ss342a -,
  • xpress sl-m2825 ss343a -,
  • xpress sl-m2826 ss344a -,
  • xpress sl-m2835 ss346a -,
  • xpress sl-m2870 ss348a -,
  • xpress sl-m2870 ss349a -,
  • xpress sl-m2871 ss350a -,
  • xpress sl-m2875 ss351a -,
  • xpress sl-m2875 ss352a -,
  • xpress sl-m2875 ss353a -,
  • xpress sl-m2875 ss354a -,
  • xpress sl-m2876 ss355a -,
  • xpress sl-m2876 ss356a -,
  • xpress sl-m2876 ss357a -,
  • xpress sl-m2880 ss358a -,
  • xpress sl-m2885 ss359a -,
  • xpress sl-m3015 ss360a -

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis