Moderate
CVE-2021-3438
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below:
Add References:
CVE-2021-3438
MITRE ATT&CK
Collection
Command and Control
Credential Access
Defense Evasion
Discovery
Execution
Exfiltration
Impact
Initial Access
Lateral Movement
Persistence
Privilege Escalation
Description
A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.
Add Assessment
Ratings
-
Attacker ValueVery Low
-
ExploitabilityVery Low
Technical Analysis
Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070
copies bytes from the user’s input buffer via the strncpy
function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data
segment, is the only reference in all of the section and it is only used in the highlighted strncpy
operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.
Thx to @wvu-r7 for the peer review.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityVery Low
Technical Analysis
(Edited for clarity only.)
Update: Paolo Stagno (VoidSec) has analyzed this vulnerability and posited that it is not exploitable beyond DoS. I agree with their analysis and have updated my ratings as a result. My pre-analysis assessment is preserved below. More details to come! Please see VoidSec’s assessment. :)
Local privilege escalation in an ancient yet widely distributed printer driver for Windows. Mis-bounded strncpy()
buffer overflow in kernel space, so exploitation requires skill and precision to pull off, though the vulnerability itself is incredibly straightforward. Could be a reliable root for years to come. Patch this normally and don’t freak out.
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportRatings
-
Attacker ValueMedium
-
ExploitabilityHigh
Technical Analysis
HP and Xerox released security updates for an exploitable kernel drive vulnerability (CVE-2021-3438) that affects the buffer overflow in the SPPORT.SYS driver for over 380 various HP and Samsung printers and approximately a dozen different Xerox printers. Successful exploitation could allow unauthorized actors to gain SYSTEM level permissions and execute code in kernel mode
https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/
Would you also like to delete your Exploited in the Wild Report?
Delete Assessment Only Delete Assessment and Exploited in the Wild ReportCVSS V3 Severity and Metrics
General Information
Products
- Certain HP LaserJet products and Samsung product printers, see Security Bulletin
References
Additional Info
Technical Analysis
Report as Exploited in the Wild
CVE ID
AttackerKB requires a CVE ID in order to pull vulnerability data and references from the CVE list and the National Vulnerability Database. If available, please supply below: