SentinelLabs has discovered a severe escalation of privilege vulnerability in a printer driver used by HP, Samsung and Xerox devices since 2005 – affecting over 390 printer models and millions of computers.
The vulnerable driver gets installed on Windows systems without any user intervention, simply by plugging in a printer with a USB cable or starting (and then quitting) the printer management software. Tracked as CVE-2021-3438, the vulnerability is an exploitable kernel driver that can enable a standard user to escalate their privilege to a SYSTEM account on Microsoft Windows and run arbitrary code in kernel mode.
Xerox has issued their own security advisory which lists the dozen printer models affected from their range and provides links for updated drivers.
Third party drivers, like those used by printers, are not necessarily included in Windows Updates that get shipped by Microsoft on the first Tuesday of each month – it depends on the filters set which determine which category of updates are automatically installed. (Although Sentinelone reports that this particular driver is included within the Windows Update system.)
Network Managers may want to check if the drivers have been automatically updated already and if not, arrange to manually install them onto affected systems in order to resolve the vulnerability.