HP Patches Critical RCE Flaws in Inkjet Printers
6.8.18 securityweek 
Vulnerebility

HP has released firmware updates for many of its ink printers to address a couple of critical vulnerabilities that can be exploited for remote code execution.

According to the HP Product Security Response Team (PSRT), the company’s Inkjet printers are affected by flaws that allow an attacker to trigger a stack or static buffer overflow and execute arbitrary code by sending a specially crafted file to an affected device.

The vulnerabilities are tracked as CVE-18-5924 and CVE-18-5925, and they have both been assigned a CVSS score of 9.8.

HP has shared a list of roughly 160 impacted products, including PageWide, DesignJet, Officejet, Deskjet, Envy and Photosmart devices. The firmware updates for each impacted product can be obtained from HP’s website.

This is not the first time a remote code execution flaw has been found in HP printers. Last year, researchers discovered several potentially serious vulnerabilities in some of HP’s enterprise printers, including an RCE bug affecting LaserJet Enterprise, PageWide Enterprise, LaserJet Managed and OfficeJet Enterprise printers.

HP recently announced the launch of a private bug bounty program that offers up to $10,000 for serious vulnerabilities found in the company’s printers. HP had invited 34 researchers by the time the initiative was unveiled.

The program covers HP LaserJet Enterprise printers and MFPs (A3 and A4), as well as the HP PageWide Enterprise printers and MFPs (A3 and A4).