[German]Firmware from various laser printers is vulnerable to CVE-2023-1707 vulnerability. Certain HP Enterprise LaserJet and HP LaserJet are potentially vulnerable to information disclosure in managed environments when IPsec is enabled with FutureSmart version 5.6. A patch may be up to 90 days away. Administrators so far only have the option to perform a workaround in the form of a firmware downgrade.
Advertising
HP FutureSmart
HP FutureSmart is a firmware that can be used on all HP Enterprise devices. The goal is to facilitate the management and maintenance of a wide range of functions of the HP devices. Devices can be managed either via control panel on the printer or remotely via web browser using a local web server. HP FutureSmart is constantly updating FutureSmart, existing printers can be effortlessly upgraded and should benefit from the latest features.
Vulnerability in HP firmware
Vendor HP has published a security advisory Certain HP Enterprise LaserJet and HP LaserJet Managed printers – Potential information disclosure as of April 3, 2023 (see also the following tweet), indicating vulnerability CVE-2023-1707 in various HP Enterprise LaserJet and HP LaserJet printers.
The advisory states that certain HP Enterprise LaserJet and HP LaserJet Managed printers are potentially vulnerable to information disclosure when IPsec is enabled with FutureSmart version 5.6. The CVE-2023-1707 vulnerability is rated critical and has been assigned a CVSS v3.1 score of 9.1. Unfortunately, there is no patch for the firmware in question from HP so far. HP writes that an updated firmware that fixes the issue is expected within 90 days.
IPsec (Internet Protocol Security) is a protocol suite designed to enable secure communications over potentially insecure IP networks such as the Internet. IPsec operates directly at the network layer of the DoD model and is an evolution of IP protocols.
Proposed mitigation
To mitigate the vulnerabilit, HP has provided temporary firmware mitigation for customers running FutureSmart 5.6 with IPsec enabled on potentially affected products. HP recommends immediately reverting to an earlier version of the firmware (FutureSmart version 5.5.0.3) and downgrading devices to that firmware version.
Advertising
Which printers are affected?
HP discloses the following printer models as potentially affected when IPsec is enabled with FutureSmart version 5.6 in the Security Advisory Certain HP Enterprise LaserJet and HP LaserJet Managed printers – Potential information disclosure. (via)
- HP Color LaserJet Enterprise M455
- HP Color LaserJet Enterprise MFP M480
- HP Color LaserJet Managed E45028
- HP Color LaserJet Managed MFP E47528
- HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
- HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
- HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
- HP LaserJet Enterprise M406
- HP LaserJet Enterprise M407
- HP LaserJet Enterprise MFP M430
- HP LaserJet Enterprise MFP M431
- HP LaserJet Managed E40040
- HP LaserJet Managed MFP E42540
- HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
- HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
- HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70
