HP printers carry code execution bug

By

Little-used network protocol exposes nearly 1000 products.

More than 1000 variants of hundreds of HP printer models need a firmware patch against vulnerabilities that lead to remote code execution (RCE).

HP printers carry code execution bug

The four CVEs cover familiar names: LaserJet Pro, Pagewide Pro, OfficeJet Pro, and more.

At the time of writing, while CVEs had been assigned to all the vulnerabilities, details had not yet been published.

Three of the CVEs (CVE-2022-24291, CVSS score 7.5; CVE-2022-24292, CVSS score 9.8, and CVE-2022-24293, CVSS score 9.8) cover a mere 22 models and 68 product numbers.

For these vulnerabilities, HP’s advisory merely states that the devices “may be vulnerable to potential information disclosure, denial of service, or remote code execution”.

Firmware is available for all affected printers except the HP Color LaserJet Pro MFP M2XX, for which the advisory says remediation is ‘pending’.

A little more detail is provided for the fourth, and vastly more widespread, vulnerability, CVE-2022-3942 (CVSS score 8.4).

HP said this is a bug in its implementation of Link-Local Multicast Name Resolution (LLMNR).

Devices ‘may be vulnerable to potential remote code execution and buffer overflow’ the advisory said.

LLMNR was created in 2007 by Microsoft (documented at the Internet Engineering Task Force here) to provide DNS-like name resolution on local area network where no DNS server is present.

New firmware is available for all 248 products and 994 variants carrying the vulnerability, and HP also recommends disabling LLMNR (and further, that admins disable all unused network protocols).

Got a news tip for our journalists? Share it with us anonymously here.
Copyright © iTnews.com.au . All rights reserved.
Tags:

Most Read Articles

RBA reveals three-year project to upgrade payment IT systems

RBA reveals three-year project to upgrade payment IT systems

Microsoft ending support for Windows 10 could send 240 million PCs to landfills

Microsoft ending support for Windows 10 could send 240 million PCs to landfills

Microsoft adds AI button to keyboards to call up chatbot

Microsoft adds AI button to keyboards to call up chatbot

Smart device security labels would cost under $5 million a year

Smart device security labels would cost under $5 million a year

Log In

  |  Forgot your password?