HP warns of critical vulnerabilities in hundreds of HP printer models, including the LaserJet Pro, OfficeJet and DeskJet series.
The first vulnerability allows a buffer overflow. The vulnerability affects dozens of models (see: Affected Products). The buffer overflow creates the risk of Remote Code Execution (RCE). The vulnerability was found by Zero Day Initiative.
HP published a firmware update for most models. Not all updates are ready. Some devices will have to make do without for now. HP prepared a set of alternative instructions for users of HP LaserJet Enterprise and HP LaserJet Pro.
If you’re using one or more models in these series, you do well to follow the instructions. The vulnerability (CVE-2022-3942) was graded an 8.4.
Few details, risk of DoS
The second, third and fourth vulnerabilities received high to critical CVE scores. One of the vulnerabilities opens the door for denial of service (DoS) attacks. All vulnerabilities were found by Zero Day Initiative.
The number of affected devices is limited (see: Affected Products). The threat is exceptional: two of the vulnerabilities received CVE scores of 9.8.
Once more, patching is the way to go. Firmware updates are available for every model except the HP Color LaserJet Pro MFP M2XX. If you’re using a model in this series, you’re on your own for now. HP gave no official instructions. The patch is expected to appear on the website in the next few hours.
HP shared very few technical details on the latter three vulnerabilities. We expect to see more information after the latest patch is published. Until then, it can’t hurt to review your firewalls and policies.