Vulnerability allows printer watering hole attacks to spread malware: Vectra Networks

Researchers at the Vectra Threat Labs have discovered a critical vulnerability in Microsoft Windows that enables attackers to gain system-level control over computers via infected or fake printer drivers to spread malware.

“The vulnerability stems from a Windows process that allows users to quickly search for, add and use printers at home, in the office and over the Internet,” notes a statement Tuesday from San Jose-headquartered Vectra Networks Inc.

“Armed with system-level controls, the malware can then spread laterally from one machine across an entire network,” cautions the company, which provides automated threat management solutions for real-time detection of in-progress cyber attacks.

Researchers with Vectra Threat Labs take unexplained phenomena seen in customer networks and dig deeper to find the underlying reasons for the observed behaviour, the company statement explains.

The vulnerability was disclosed to Microsoft in April, which catalogued it as critical MS16-087 (CVE-2016-3238) and issued a patch Tuesday.

“While most devices require specific user or administrative permission before software is downloaded onto a machine, it is possible for printer drivers to bypass these restrictions,” explains Günter Ollmann, CSO of Vectra Networks.

Pointing out that “this makes printers one of the most powerful threat vectors on a network,” Ollmann notes, “rather than infecting users individually, an attacker can effectively turn one printer into a watering hole that will infect every Windows device that touches it.”

Vectra Networks maintains that printers are not always prioritized for routine patching and updates, often leaving them with “open vulnerabilities that enable an attacker to easily swap a legitimate printer driver with one carrying a malicious payload.”

And once installed, the statement explains, “the malicious file runs with system-level permissions that effectively gives the attacker full control of the machine. This process could be repeated indefinitely, infecting every new user that connects to that printer.”

Beyond that, Ollmann points out, “this attack does not even require a physical printer in order to launch.” It could be launched from a fake printer set up on the network, he explains.

Related: Malware an increasingly efficient, effective way to perpetrate data breaches

“This research underscores the many possibilities that IoT devices, like printers, present to attackers,” Ollmann suggests in the statement. “Such devices are rarely assessed for security flaws, backdoors or as watering hole threats, and represent a growing blind spot for both corporate and home networks.”

Vectra Networks is encouraging organizations to patch their systems immediately.

Technical detail on MS16-087 (CVE-2016-3238) is available via a blog post, which includes a link to more analysis and a video.