Remote Code Execution vulnerability in HP inkjet printers

[German]Here is a security notification for users of HP inkjet printers. HP has discovered vulnerabilities in the firmware of various printers that allow remote code execution.


Advertising

I have been notified by a German blog reader, but saw the information also on a German blog. There is a vulnerarbility in the firmware of certain HP inkjet printers that allow remote code execution. 

Since many printers are connected via WLAN, this vulnerability could easily be exploited. From fishing to falsifying documents or manipulating other network devices, anything is imageable. HP considers the discovered vulnerabilities to be extremely critical (9.8 out of 10). HP already offers firmware updates to address these vulnerabilities..

HP Security Bulletin c06097712

HP's Product Security Response Team (PSRT) has published a warning on August 1, 2018 and updated it on August 3, 2018 as a security advisory. Two vulnerabilities (CVE-2018-5924, CVE-2018-5925 and HP's internal PSR-2018-0072) have been detected in the firmware of certain HP inkjet printers. A malicious file sent to an affected device can cause a stack or static buffer overflow that could allow remote code execution. HP classifies the two vulnerabilities as critical (9.8 out of 10).

HP has provided firmware updates for affected models. These can be downloaded and installed from the HP Software and Drivers website after entering the model. Instructions for upgrading the firmware can be found under Upgrading Printer Firmware.

Which printers are affected?

A table listing all affected printers and the new firmware version can be found in this HP document. If the printer is listed in the list of affected devices, a firmware update should be performed immediately.


Cookies helps to fund this blog: Cookie settings
Advertising


##1

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

3 Responses to Remote Code Execution vulnerability in HP inkjet printers

  1. EP says:

    guenni:

    The HP security advisory was updated again on August 10, 2018 and seemed to have removed "HP Envy Photo 7800 series printer" as an affected printer. It was previously listed on earlier revisions of the HP security advisory but not in the rev. 3 version.

    I tried to update the firmware on a newly purchased HP Envy Photo 7858 printer thru a usb cable connection but it failed (and hung for more than 30 minutes), even though there was a firmware update listed in the software & drivers section of the HP Envy Photo 7858 printer. seems like this firmware update for this specific printer is faulty. Fortunately the bad firmware update did not brick the printer. I think I'll wait until HP offers a newer firmware update for that printer & will automatically update thru a wireless internet service thru HP web services.

    I also have another printer that is affected, the HP Envy 4500, but that one was automatically updated by itself to 1828A (thru a WiFi connection) without my intervention.

    • guenni says:

      Thx for feedback.

      • EP says:

        well guenni the HP security bulletin was revised again – August 13, 2018; now at revision 4. HP envy photo 7800 series printer still not listed as one of the affected printers.

        I just checked my HP ENVY Photo 7858 printer a while ago, printed a diagnostic page and it also silently received a firmware update through a wireless internet connection – to version 1829A; again without my intervention or knowledge.

Leave a Reply

Your email address will not be published. Required fields are marked *