Over 225 HP inkjet printer models vulnerable to remote code execution

HP inkjet printers have two critical RCE vulnerabilities

RCE vulnerabilities in HP printersHP warns to update their inkjet printers since two major RCE vulnerabilities have been detected.

Researchers report about two major remote code execution (RCE) vulnerabilities present on over 225 HP inkjet printer models[1]. HP has released an official report on August 1 encouraging users to update their devices as soon as possible.

An anonymous third-party researcher has discovered the critical HP printer vulnerabilities. They are identified under CVE-2018-5924 and CVE-2018-5925 reference numbers. According to CVSS 3.0 Base Metrics, the base score of the vulnerabilities is 9.8 out of 10 which makes them critical[2].

IT experts warn that if a malicious file is sent an HP device, it could lead to the buffer overflow and allow remote code execution. In other terms, criminals could control the gadget remotely and exploit it for malevolent purposes. HP Product Security Response Team (PSRT) states the following in the official security bulletin[3]:

Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.

Recently released HP's print security bug bounty program

HP has recently announced about its printer security bug program and invited approximately 34 independent researchers to participate. The company offered up to $10 000 per HP printer bug depending on its severity[4]. IT specialists were told to focus on firmware-level flaws rather than endpoint devices.

The company was interested in detecting the following vulnerabilities[5]:

  • Cross-site request forgery (CSRF);
  • Remote code execution (RCE);
  • Cross-site scripting (XSS).

Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment <…>

Even though HP only states that a third-party researcher detected the security flaw, other sources believe that it is linked to the bug bounty program. It is evident that RCE vulnerabilities fall into the category of the requested ones by HP. Thus, the independent researcher should have scored the highest reward of $10 000 this time.

HP issues vulnerability patches for the affected HP inkjet printers

These two critical RCE vulnerabilities have been detected on more than 225 HP printer models. HP has released necessary software updates to fix the flaws.

Experts can divide all the affected models into five separate categories which include Pagewide Pro, HP DesignJet, HP Officejet, HP Deskjet and HP Envy printers.

The updates for specific models can be found on the HP official website. Users should navigate to the Software and Drivers page and search for their device name to get the security patch.

About the author
Alice Woods
Alice Woods - Likes to teach users about virus prevention

Alice Woods is the News Editor at 2-spyware. She has been sharing her knowledge and research data with 2spyware readers since 2014.

Contact Alice Woods
About the company Esolutions