Tom Gagnon

HP Wide Format Printer vulnerability HPSBHF03589 rev. 2

Discussion created by Tom Gagnon on Aug 7, 2018

Sharing here sideways-related in case it affects your business. Keep your company and users safe through best practices.

 

There is a firmware update for security on 166 HP ink printers, including a range of common wide format printers (aka plotters but not really because it behaves as an inkjet). Its severity rating is 9.8 out of 10, for a specific type of file able to be sent to the printer to cause stack overflow and allow remote code execution. The list of affected models is within the linked page below, and a fairly simple procedure for processing the firmware upgrade is linked there also. I caution that the HP support site is old and bloated, and also being upgraded right now, so the website itself may be less stable now. Including reading instructions carefully and gathering downloads, it took me about a half hour.

 

HPSBHF03589 rev. 2 - HP Ink Printers Remote Code Execution | HP® Customer Support

 

The story behind this is slightly amusing to me. Last week, HP announced a bug bounty program up to $10,000 for disclosed vulnerabilities on their printers. Three days later (over the weekend), firmware updates were released. Reading between the lines, this tells me that a grey-hat hacker (or security researcher) already had this vulnerability in their pocket, and claimed two bounties right away before someone else could. That is, though the fix is new, the vulnerability is old.

 

As a side note, trends like this are a very good reason to not use unsupported HP printers (over 10 years old) just because they still work. Unsupported hardware does not receive security updates such as this, and is unconsidered in the affected scope of listed models.

Outcomes