HP printer? Over 100 inkjet models have two critical bugs so patch now, warns HP

HP has patches for two severe flaws affecting over 166 consumer models and multifunction business printers.
Written by Liam Tung, Contributing Writer

Video -- Business security: Printers are unexpected weak link.

Days after launching its printer bug bounty offering up to $10,000 for researchers to find "obscure defects" in its printers, HP has released two firmware fixes for two severe ink printer bugs.

Hundreds of HP Inkjet printers are vulnerable to two critical remote code execution (RCE) vulnerabilities and need to be patched immediately, according to HP's Product Security Response Team (PSRT).

"Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution," wrote HP's PSRT in a security bulletin..

By "certain" printers, HP means 166 consumer models and multifunction printers for business that are likely to be connected to computer networks, though it hasn't explained how the buggy printers could be used by criminals or others to more broadly exploit a computer network.

Affected models include various versions of its popular OfficeJet, DeskJet, and Envy printers, as well as DesignJet and PageWide Pro printers.

SEE: Cybersecurity in an IoT and mobile world (ZDNet special report) | Download the report as a PDF (TechRepublic)

Using the common vulnerability scoring system CVSS 3.0 Base Metrics, it's rated the bugs as 9.8 out of a possible 10.

The two RCE bugs are being tracked as CVE-2018-5924 and CVE-2018-5925.

The company has released firmware updates for the affected printers and is releasing them through its software and drivers page, where customers can search for their specific model.

The timing of the security bulletin and the severity of the bugs is notable, given HP's announcement last week of its vulnerability reward program, which offers between $500 and $10,000 to researchers for finding printer bugs.

HP boasted that it was the "only vendor" to support a printer-only vulnerability rewards scheme.

HP said it kicked off the program to challenge researchers to "search for obscure defects that could be used against our customers".

It's giving researchers remote access to "a set of enterprise multifunction printers and invited researchers to focus on the potential for malicious actions at the firmware level including cross-site request forgery (CSFR), RCE, and cross-site scripting flaws (XSS)."

In a statement about the printer bug bounty, Shivaun Albright, HP's chief technologist of Print Security said the program was launched as the company is navigating "an increasingly complex world of cyber threats", where it was "paramount that industry leaders leverage every resource possible to deliver trusted, resilient security from the firmware up".

It also noted Bugcrowd's report that found printer bugs had increased 21 percent over the past year.

SEE: How to optimize the smart office (ZDNet special report) | Download the report as a PDF (TechRepublic)

One of the challenges for businesses is that chief information security officers often aren't involved in the purchase of printers.

As for HP, the company has of late touted growth of its 3-D printer business, versus its traditional printer business that competes with the likes of Epson and Canon based on high-priced ink supplies versus the hardware itself.

The company is partnering with Bugcrowd to run its vulnerability reporting and rewards program. It's even released the film 'The Wolf' starring Christian Slater to remind people that just two percent of the millions of business PCs around the world are secured.

Researchers in 2009 brought attention to bugs in a host of HP's LaserJet printers that threatened corporate networks because the machines failed to check digital signatures before installing a firmware update.

Previous and related coverage

HP will give you $10,000 to hack your printer

Researchers can earn up to $10,000 for issues which allow attackers to target you through your printer.

HP patches severe code execution bug in enterprise printers

The vulnerability could be exploited to perform remote code execution.

Flaws in popular printers can let hackers easily steal printed documents

Thousands of internet-connected printers could allow an attacker to steal sensitive data, as well as passwords that could allow further compromise of a network.

3D printing security risk caused by undetectable defects, and ways to prevent it TechRepublic

3D printing hacks could lead to recalls, lawsuits, property damage, and even put people in danger, researchers find. They present two ways to stave off this security threat.

HP wants to build a printer you'll actually get excited about CNET

Printer chief Enrique Lores wants to bring back the joy of simply looking at photos that remind us of the good times.

Editorial standards