Attacker Value
Moderate
(3 users assessed)
Exploitability
Low
(3 users assessed)
User Interaction
None
Privileges Required
Low
Attack Vector
Local
3

CVE-2021-3438

Disclosure Date: May 20, 2021
Add MITRE ATT&CK tactics and techniques that apply to this CVE.
Impact
Techniques
Validation
Validated
Validated

Description

A potential buffer overflow in the software drivers for certain HP LaserJet products and Samsung product printers could lead to an escalation of privilege.

Add Assessment

4
Ratings
Technical Analysis

Here you can read the entire analysis: https://voidsec.com/root-cause-analysis-of-cve-2021-3438/
The vulnerable function sub_15070 copies bytes from the user’s input buffer via the strncpy function call with an arbitrary size parameter (controlled by the user), causing a buffer overflow. The buffer, initialized with all zeroes in the .data segment, is the only reference in all of the section and it is only used in the highlighted strncpy operation; there are no pointers nor interesting structures written inside the segement that we can corrupt to redirect the execution flow.
I can confidently say that this vulnerability can, at best, be used to perform a local Denial of Service (DoS) crashing the entire OS.
I think a more appropriate CVSS score is 6.5, rather than the arbitrary 8.8/10 score given to the original CVE.

Thx to @wvu-r7 for the peer review.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    Very Low
Technical Analysis

(Edited for clarity only.)

Update: Paolo Stagno (VoidSec) has analyzed this vulnerability and posited that it is not exploitable beyond DoS. I agree with their analysis and have updated my ratings as a result. My pre-analysis assessment is preserved below. More details to come! Please see VoidSec’s assessment. :)


Local privilege escalation in an ancient yet widely distributed printer driver for Windows. Mis-bounded strncpy() buffer overflow in kernel space, so exploitation requires skill and precision to pull off, though the vulnerability itself is incredibly straightforward. Could be a reliable root for years to come. Patch this normally and don’t freak out.

1
Ratings
  • Attacker Value
    Medium
  • Exploitability
    High
Technical Analysis

HP and Xerox released security updates for an exploitable kernel drive vulnerability (CVE-2021-3438) that affects the buffer overflow in the SPPORT.SYS driver for over 380 various HP and Samsung printers and approximately a dozen different Xerox printers. Successful exploitation could allow unauthorized actors to gain SYSTEM level permissions and execute code in kernel mode
https://labs.sentinelone.com/cve-2021-3438-16-years-in-hiding-millions-of-printers-worldwide-vulnerable/

CVSS V3 Severity and Metrics
Base Score:
7.8 High
Impact Score:
5.9
Exploitability Score:
1.8
Vector:
CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector (AV):
Local
Attack Complexity (AC):
Low
Privileges Required (PR):
Low
User Interaction (UI):
None
Scope (S):
Unchanged
Confidentiality (C):
High
Integrity (I):
High
Availability (A):
High

General Information

Products

  • Certain HP LaserJet products and Samsung product printers, see Security Bulletin

Additional Info

Technical Analysis