Hundreds of HP printer models with RCE vulnerability (March 2022)

Sicherheit (Pexels, allgemeine Nutzung)[German]HP warns in two security advisories about remote code execution (RCE) and information disclosure vulnerabilities in hundreds of its printer models. Attackers could exploit the vulnerability to inject malicious code into systems. However, the manufacturer has provided firmware updates to mitigate this vulnerabilites.


Advertising

In the security advisories HPSBPI03780 and HPSBPI03781, dated 21 March 2022, HP notes that certain HP printer models may be vulnerable to remote code execution (RCE) and buffer overflows. The two security alerts address critical vulnerabilities affecting hundreds of LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet printer models.

Security alert HPSBPI03780 mentions only vulnerability CVE-2022-3942 reported by Trend Micro. HP advises that certain HP Print and Digital Sending products may be vulnerable to remote code execution (RCE) and buffer overflows when using Link-Local Multicast Name Resolution (LLMNR). Details of CVE-2022-3942 are not disclosed – however, due to buffer overflow and remote code execution, the vulnerability has received a CVE score of 8.4, which HP itself rates as critical.

he second security advisory, HPSBPI03781, escribes three other vulnerabilities reported by Trend Micro. Certain HP printing devices may be vulnerable to information disclosure, denial of service or remote code execution.

  • CVE-2022-24291: CVSS 7.5, High
  • CVE-2022-24292: CVSS 9.8, Critical
  • CVE-2022-24293: CVSS 9.8, Critical

For all these vulnerabilities, HP has released firmware updates to close the vulnerabilities. A list of affected HP products can be found in both security advisories HPSBPI03780 and HPSBPI03781. The firmware for affected devices should be downloadable from the HP download page.

The first reflex would be: since the vulnerabilities are rated high or critical, a prompt update of the printer firmware should be made. But the question is whether this update will cause such nice collateral damage as forcing the use of original HP cartridges or toner cartridges. If the printer is not accessible via the Internet and is isolated in a VLAN in the company network, the risk should be limited even without a firmware update. This solution must be used anyway if no firmware update is available for a device.


Advertising

Similar articles:
HP printer firmware disables refill ink cartridges
HP: New printer firmware re-enables refill ink cartridges
HP apologizes, new firmware update for printers soon
Electronic Frontier Foundation (EFF) criticizes HP
Firmware Update blocks again non HP Printer Cartridges
HP printer firmware disables refill ink cartridges
Hints for HP Printer Firmware Downgrade


Advertising

This entry was posted in devices, Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

Note: Please note the rules for commenting on the blog (first comments and linked posts end up in moderation, I release them every few hours, I rigorously delete SEO posts/SPAM).