HP ENVY 5000 Series Printers Denial-of-Service Vulnerability

A denial-of-service vulnerability has been identified in HP ENVY 5000 series printers, specifically in models running the firmware version VERBASPP1N003.2237A.00. The issue arises from improper management of concurrent TCP connections to port 9100, which is used for JetDirect/RAW printing. An unauthenticated remote attacker on the same network can establish a persistent connection to this port and send keep-alive packets. This exploitation locks the printer's session threads in a waiting state, causing a disruption in service. The firmware does not include connection timeouts or limits on concurrent sessions, leading to a persistent state where the printer becomes unresponsive to user commands and print jobs. To restore functionality, a manual restart of the device is required, after which the attack can be quickly re-initiated.

Impact

Exploitation of this vulnerability causes the printer to become unresponsive, disrupting workflows and requiring manual intervention to restore functionality. The denial-of-service condition can be immediately re-initiated after the printer is restarted.

Reproduction

The vulnerability can be reproduced by opening a persistent connection to the printer's port 9100 and sending periodic keep-alive packets. This process can be automated with a proof-of-concept script that reconnects and resumes sending keep-alive messages if the connection is lost.

Remediation

HP should implement measures such as limiting concurrent connections from the same IP address, introducing rate limiting for connection attempts, and establishing session timeouts for idle connections.