HP warns of security vulnerabilities in numerous printer models that allow attackers to inject malicious code. The manufacturer provides updates.
Hewlett Packard warns of security gaps in the firmware of various printer models, through which attackers could potentially inject malicious code. Numerous inkjets as well as several LaserJet Pro and PageWide Pro models from the company are affected. HP has provided firmware updates for the devices that are intended to seal the vulnerabilities.
It’s about two security gaps that HP warns about. The manufacturer does not provide any details, but describes vaguely that the vulnerabilities would allow a buffer overflow and/or the execution of subscripted code. HP classifies a vulnerability as a critical risk (CVE-2022-28721, CVSS 9.8risk critical), the other as high threat level (CVE-2022-28722, CVSS 7.1, high).
The CVE entries are not yet publicly available at the time of reporting. There is no further information on this yet. However, more than 40 models from the inkjet portfolio of HP DeskJets, HP Envy, OfficeJets and Smart Tank printers are affected. The vulnerabilities can also be found in six LaserJet Pro and more than 20 PageWide printer models.
HP recommends downloading and installing the updated firmware. Administrators can find these by entering their printer’s model number on HP’s software and driver downloads page.
Such vulnerabilities in printers are not uncommon. Only half a year ago, HP had sealed weak points in more than 200 printer models. Since intruders in the network could possibly establish themselves undetected in the network, IT managers should quickly update the affected devices.