Hundreds of HP inkjet printer models vulnerable to critical remote code execution flaws

Hundreds of HP inkjet printer models are in desperate need of firmware patches before hackers start exploiting vulnerabilities to gain remote code execution.

Hundreds of HP inkjet printer models vulnerable to attack
Shawn Carpenter (CC BY-SA 2.0)

Two nasty security vulnerabilities make hundreds of HP Inkjet printers vulnerable to remote code execution. HP recommended applying firmware update patches “as soon as possible.”

Almost immediately after announcing a “first of its kind” bug bounty program for printers, offering up to $10,000 per HP printer bug, HP released firmware update patches for hundreds of inkjet printers.

“Two security vulnerabilities have been identified with certain HP Inkjet printers,” reads the HP ink printers remote code execution security bulletin. “A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.”

The two critical RCE flaws (CVE-2018-5924, CVE-2018-5925) affect a very long list of inkjet printer models, including HP Envy, HP Deskjet, HP Officejet, HP DesignJet, HP PageWide Managed, HP PageWide Pro, HP Photosmart, HP AMP, HP Ink Tank, and HP Smart Tank Wireless.

While the security bulletin doesn’t specify if the vulnerabilities were found via the new printer security bounty program, it seems likely, as the researchers were told to hone-in on firmware-level vulnerabilities and RCE bugs were within the scope of the program. While HP offered between $500 and $10,000 per bug, the severity of RCE bugs should surely score the researcher who found them the highest $10,000 bounty.

The 34 participating researchers were also told that finding cross-site request forgery (CSRF) and cross-site scripting (XSS) bugs were acceptable. Vulnerabilities discovered in the bug bounty program are reported through the crowdsourced Bugcrowd platform. HP even agreed to “good faith” payouts for bugs that HP previously discovered but had not yet disclosed.

HP, which already claims to offer “the world’s most secure printing,” said its printer security bug bounty program was to show that “HP is committed to engineering the most secure printers in the world.”

Shivaun Albright, HP’s chief technologist of print security, added that the company’s bug bounty would allow researchers to find potential bugs that hackers might target, flaws that HP missed when developing and testing its printers.

As for the long list of ink jet printers vulnerable to RCE, the company advised, “The information in this security bulletin should be acted upon as soon as possible.” By that, HP means apply the new firmware patches to impacted printers ASAP. Although the security bulletin lists hundreds of inkjet printer models, the updated firmware can be downloaded after searching for your printer model, downloading and then updating your printer's firmware.

With the printer security bug bounty program in play, there will likely be more security bulletins and firmware upgrades released to patch zero-days.

SUBSCRIBE! Get the best of CSO delivered to your email inbox.