HP published two security bulletins that inform customers about critical security issues affecting hundreds of the company’s printer models. Firmware updates that patch the security issues are available for some printer models but not for all.
The first security bulletin confirms that certain HP printer models are affected by critically rated security issue CVE-2022-3942. The remote code execution and buffer overflow issue uses Link-Local Multicast Name Resolution (LLMNR). The issue is rated 8.4 out of 10.
HP created firmware updates for some of the affected printer models and released mitigation instructions for others. Models of the following printer families are affected by the vulnerability according to HP:
- HP Color LaserJet Enterprise
- HP Color LaserJet Managed
- HP Digital Sender Flow
- HP LaserJet Enterprise 500
- HP LaserJet Enterprise Color Flow
- HP LaserJet Managed Flow
- HP LaserJet Enterprise Flow
- HP LaserJet Enterprise 600
- HP LaserJet Enterprise 700
- HP LaserJet Enterprise
- HP OfficeJet Enterprise Color
- HP PageWide Color
- HP PageWide Enterprise Color
- HP PageWide Enterprise Color Flow
- HP PageWide Managed Color
- HP Scanjet Enterprise 8500
- HP ScanJet Enterprise Flow
- HP Color LaserJet Pro
- HP LaserJet
- HP LaserJet Pro
- HP PageWide
- HP PageWide Pro
- HP PageWide Managed
- HP DeskJet
- HP DeskJet Ink Advantage
- HP DeskJet Plus
- HP DeskJet Plus Ink Advantage
- HP OfficeJet Pro
- HP DesignJet Z6+ Pro
- HP DesignJet Z9+ Pro
- HP DesignJet
- HP DesignJet XL
- HP PageWide XL
HP owners and system administrators should check the published table to find out if printers that are in use in the home, business or enterprise environment are affected. Firmware updates are available for some of the printer models, for others, mitigations are provided to disable LLMNR.
- HP Color LaserJet Pro – Disable unused network protocols and features using the Embedded Web Server (EWS)
- HP LaserJet Enterprise, HP PageWide Enterprise – Disable unused network protocols and features (EWS)
Second HP security bulletin
The second security bulletin lists three vulnerabilities: CVE-2022-24291 with a rating of 7.5 and a severity of high, CVE-2022-24292 with a rating of 9.8 and a severity of critical, and CVE-2022-24293 with a rating of 9.8 and a severity of critical.
HP notes that the issue can be fixed by installing a new firmware version that HP released. The list of affected products is smaller:
- HP Color LaserJet Pro
- HP PageWide
- HP PageWide Managed
- HP OfficeJet Pro
Firmware is available for all affected printer models with the exception of HP Color LaserJet Pro MFP M2XX, which is listed as “remediation pending”.
HP customers who operate affected printer models should consider upgrading the firmware immediately or apply the workaround to protect systems and data from attacks targeting the vulnerabilities.
(via Bleeping Computer)
