More than 1000 variants of hundreds of HP printer models need a firmware patch against vulnerabilities that lead to remote code execution (RCE).
The four CVEs cover familiar names: LaserJet Pro, Pagewide Pro, OfficeJet Pro, and more.
At the time of writing, while CVEs had been assigned to all the vulnerabilities, details had not yet been published.
Three of the CVEs (CVE-2022-24291, CVSS score 7.5; CVE-2022-24292, CVSS score 9.8, and CVE-2022-24293, CVSS score 9.8) cover a mere 22 models and 68 product numbers.
For these vulnerabilities, HP’s advisory merely states that the devices “may be vulnerable to potential information disclosure, denial of service, or remote code execution”.
Firmware is available for all affected printers except the HP Color LaserJet Pro MFP M2XX, for which the advisory says remediation is ‘pending’.
A little more detail is provided for the fourth, and vastly more widespread, vulnerability, CVE-2022-3942 (CVSS score 8.4).
HP said this is a bug in its implementation of Link-Local Multicast Name Resolution (LLMNR).
Devices ‘may be vulnerable to potential remote code execution and buffer overflow’ the advisory said.
LLMNR was created in 2007 by Microsoft (documented at the Internet Engineering Task Force here) to provide DNS-like name resolution on local area network where no DNS server is present.
New firmware is available for all 248 products and 994 variants carrying the vulnerability, and HP also recommends disabling LLMNR (and further, that admins disable all unused network protocols).
