Attacker Value
Moderate
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2021-3438

Disclosure Date: May 20, 2021
CVE-2021-3438 CVSS v3 Base Score: 7.8
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated

Description

A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.

Add Assessment

4
Ratings
  • Attacker Value
    Very Low
  • Exploitability
    Very Low
Common in enterpriseVulnerable in default configurationDifficult to weaponize
Technical Analysis

Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070 copies bytes from the user’s input buffer via the strncpy function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data segment, is the only reference in all of the section and it is only used in the highlighted strncpy operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.

Thx to @wvu-r7 for the peer review.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Gives privileged accessVulnerable in default configuration
Technical Analysis

(Edited for clarity only.)

Update: Paolo Stagno (VoidSec) has analyzed this vulnerability and posited that it is not exploitable beyond DoS. I agree with their analysis and have updated my ratings as a result. My pre-analysis assessment is preserved below. More details to come! Please see VoidSec’s assessment. :)

Local privilege escalation in an ancient yet widely distributed printer driver for Windows. Mis-bounded strncpy() buffer overflow in kernel space, so exploitation requires skill and precision to pull off, though the vulnerability itself is incredibly straightforward. Could be a reliable root for years to come. Patch this normally and don’t freak out.

Log in to Add Reply
1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

HP and Xerox released security updates for an exploitable kernel drive vulnerability (CVE-2021-3438) that affects the buffer overflow in the SPPORT.SYS driver for over 380 various HP and Samsung printers and approximately a dozen different Xerox printers. Successful exploitation could allow unauthorized actors to gain SYSTEM level permissions and execute code in kernel mode
https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/

Log in to Add Reply
CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Offensive Application
Unknown
Utility Class
Unknown
Ports
Unknown
OS
Unknown
Vulnerable Versions
Certain HP LaserJet products and Samsung product printers, see Security Bulletin Various, see Security Bulletin
Prerequisites
Unknown
Discovered By
Unknown
PoC Author
Unknown
Metasploit Module
Unknown
Reporter
Unknown

Vendors

Products

Weaknesses

Additional Info

Authenticated
Unknown
Exploitable
Unknown
Reliability
Unknown
Stability
Unknown
Available Mitigations
Unknown
Shelf Life
Unknown
Userbase/Installbase
Unknown
Patch Effectiveness
Unknown
Technical Analysis