HP Releases Critical Firmware Updates For 2 Remote Code Execution Vulnerabilities Affecting 166 Printer Models

HP offered a cash prize of $ 100,000 to researchers who might find vulnerabilities in their printer products just a few days ago, and it seems that two reports in particular caught their attention as the company has released firmware updates for two critical errors. HP warns that hundreds of its inkjet printers are vulnerable to two remote code execution vulnerabilities. Users must update their firmware immediately to mitigate the consequences of these severe vulnerabilities.

According to the HP Support Communication Security Bulettin, a maliciously crafted file sent to affected HP printers can cause a static stack or buffer overflow that could pave the way for remote code execution. The security labels assigned to these vulnerabilities are CVE-2018-5924 and CVE-2018-5925. Both vulnerabilities have received critical CVSS 3.0 critical scores of 9.8 each.

HP prides itself on being the only company that delivers such large prizes for the discovery of vulnerabilities in its line of printers. Following the incident report (however and whenever possible), the HP team worked diligently to release updates to mitigate the risks posed. HP executives have expressed pride in the effort of their team and the performance record of their company.

It is not clear if these vulnerabilities were reported through the program or if HP knew them beforehand. The timing, however, only makes it appear that this is the result of the search for rewards. Regardless, HP has stood firm as the self-proclaimed provider of "world's safest printing" by releasing patches long before any exploitation of known vulnerabilities.

At the bottom of the publication of the HP Security Bulletin, a list of the 166 types of printers connected to the corporate network and for personal use and the affected models is published. These models include a wide range of OfficeJet devices, DeskJet, Envy printers, DesignJet and PageWide Pro. The associated firmware updates have also been listed next to the model numbers. HP printer owners are asked to update their firmware immediately to avoid the risk of the consequences of the two remote code execution vulnerabilities.