2021-11-30
HP Releases Firmware Updates for Printers
HP Enterprises has released firmware updates for more than 150 models of its multifunction printers. HP learned of the vulnerabilities from F-Secure in April 2021. One of the issues addressed in the updates is a critical buffer overflow vulnerability; the other is a high-severity information disclosure vulnerability. The flaws could be exploited to take control of vulnerable devices, steal information, and gain access to networks.
Editor's Note
This vulnerability affects printers for the last few years. If you have an HP printer, it is likely vulnerable. Update your firmware in particular if the printer is reachable over a network. The other exploit scenarios may be less of a problem if the printer is located in a home office without easy access.

Johannes Ullrich
Coincidentally, the SANS Holiday Hack Challenge will feature a printer hack this year. As an overlooked part of most infrastructure networks, printers make interesting targets for adversaries since they are seldom subject to rigorous patch management processes. We thought it important to highlight printer vulnerabilities as a common threat for many organizations.

Joshua Wright
By now, network-attached printers should be fully covered by vulnerability management processes, across their entire lifecycle, including disposal. If not, there have been real world damage-causing exploits against printers over the past 5 years – seeing vulnerabilities that include code execution should be a red flag for action.

John Pescatore
Make sure you’re installing firmware updates on your printers. If you’re using a third party double check their practices. Understand controls which allow or disallow Internet printing before enabling that capability. As many printers now cache information and have ports for USB or other memory cards, consider locations away from unescorted access, not just to prevent media insertion, but also limit unintended browsing of sensitive output. Consider using devices that permit jobs to be queued/paused until the requester is physically present.
