HP has published various security alerts for more than 250 of its printer models. Hackers should be able to inject malicious code, denial-of-service (DoS) attacks to start and access data. As a countermeasure, the manufacturer recommends firmware updates and configuration changes.
Gateway LLMNR protocol
The first vulnerability, CVE-2022-3942, is classified as critical with a value of 8.4. According to Heise, attackers can use vulnerabilities in the firmware to remotely cause a buffer overflow in around 250 HP printer models. Malicious code can then be injected and executed.
A protocol called Link-Local Multicast Name Resolution (LLMNR) serves as a gateway for hackers. It allows IPv4 and IPv6 hosts name resolution into numeric, editable addresses for hosts on the same local network. It is part of all versions of Microsoft’s operating system since Windows Vista and its mobile counterparts Windows Phone and Windows 10 Mobile. In addition to a firmware update, HP said the vulnerability can also be mitigated by switching off the LLMNR protocol on the devices.
Affected models include HP Color LaserJet, DesignJet, DeskJet, HP Digital Sender, LaserJet, OfficeJet Pro, Pagewide, and HP ScanJet Enterprise.
For more than 20 additional models, HP identified three additional vulnerabilities, CVE-2022-24291, CVE-2022-24292, and CVE-2022-24293. Two are classified as critical. Information on this is sparse. HP names as possible security risks information theft, DoS and buffer overflow. According to HP, the only solution to these problems is updating to the latest firmware.
Second case of HP printer vulnerabilities in a few months
Such reports are nothing new for HP users. As early as the end of 2021, security researchers found serious gaps in over 150 printer models.
Using phishing tactics, hackers could access the devices and hijack them. The attackers then could read printouts, scans and faxes. In addition, the login data of the device could be readable, which opened the way to the rest of the network. Even then, HP advised firmware updates.
Editor's note: This story originally appeared on CIO Germany.