160 HP printer models contain two critical vulnerabilities

Share this…

The company has launched patches for two serious bugs that affect over 160 models of multifunctional printers

A few days after publishing their vulnerability bounty program that offers up to $10K USD for enterprise network security investigators to find bugs in their printers, HP has released two firmware patches for two severe bugs present in many models.

Enterprise network security specialists from the International Institute of Cyber Security report that hundreds of HP Inkjet printers have two remote code execution (RCE) vulnerabilities and need to be patched immediately.

According to a security statement, “two security vulnerabilities have been identified within certain HP inkjet printers. A maliciously-created file sent to an affected device can cause a static or stack buffer overflow, which could allow RCE”, the company says.

By mentioning “certain printers”, HP refers to 166 models of multifunction printers for companies that are likely to be connected to computer networks, although it has not explained how vulnerable printers could be used by hackers to exploit these networks. The affected models include several versions of their popular OfficeJet, DeskJet, and Envy printers, as well as the DesignJet and PageWide Pro printers.

The two bugs were identified as CVE-2018-5924 and CVE-2018-5925.

HP has released firmware updates for affected printers through its pages, where customers can search for their specific model. This event coincides with HP’s announcement last week of its vulnerability bounty program, which offers between $500 and $10K for enterprise network security specialists to find flaws on their devices.

The program provides experts with remote access to “various printers and multifunctionals to analyze the potential of possible malicious actions at the firmware level, including spoofing inter-site requests, remote code execution, and scripting flaws”.

One of the challenges for companies is that directors of enterprise network security often do not participate in the purchase of printers.

The company is partnering with Bugcrowd to manage vulnerability reports and rewards.

In 2009, enterprise network security experts pointed out flaws in a series of HP LaserJet printers that threatened corporate networks because machines were unable to verify digital signatures before installing a firmware update.