Hewlett-Packard has noted that a vulnerability in the software that ships with two of its printers could open a Windows PC to attack. The security flaws, reported by HP and security firm Secunia, was discovered by Richard Horsman of Sec-1.com.
Horsman discovered that a vulnerability exists in the Toolbox software that comes with HP's Color LaserJet 2500 and 4600 printers. If exploited, the flaw could allow an unauthorized user to pull files from a Windows machine running on the same network as one of the printers.
The flaw is exploitable only if the software is running in its default configuration, HP noted in its security alert.
Like similar programs from other printer vendors, HP's Toolbox software installs automatically onto a PC, along with necessary print drivers. The program is designed to give users print-status information, such as where their documents are in a queue, as well as troubleshooting data.
The flaw is caused by an input-validation error in the server that is part of the software, according to Secunia's alert. This can be exploited to "disclose the contents of arbitrary files via directory traversal attacks," the firm noted.
Although the vulnerability would allow unauthorized attackers to enter a system and possibly gain administrative-level control over the computer, Secunia rates the issue as "less critical."
HP already has issued a patch, which is available on the company's Web site. In a statement, HP noted that it will be broadly distributing the security bulletin because it feels the issue warrants a widespread alert.
Although the HP software flaw is specific to a limited amount of printers, enterprises need to be cautious about printers in general, said Secunia chief technology officer Thomas Kristensen.
Often, I.T. locks down other parts of the network but fails to recognize printers as a viable risk, yet hackers are well aware that they can sneak into a system through such an unprotected avenue.
"Since printers are connected to the network, they can be vulnerable," said Kristensen. "Attackers might use a printer connection to get to other parts of a system, and sometimes it's very easy to get into a company that way."
Secunia recommends that enterprises put added protection in place for printers, and limit or supervise user access.