HP to patch crucial bug in LaserJet printers inside 90 days
HP introduced in a safety bulletin this week that it could take as much as 90 days to patch a critical-severity vulnerability that impacts the firmware of sure business-grade printers.
The safety concern is tracked as CVE-2023-1707 and it impacts about 50 HP Enterprise LaserJet and HP LaserJet Managed Printers fashions.
The corporate calculated a severity rating of 9.1 out of 10 utilizing the CVSS v3.1 customary and notes that exploiting it may doubtlessly result in info disclosure.
Regardless of the excessive rating, there’s a restrictive exploitation context as weak units must run FutureSmart firmware model 5.6 and have IPsec enabled.
IPsec (Web Protocol Safety) is an IP community safety protocol suite utilized in company networks to safe distant or inside communications and forestall unauthorized entry to property, together with printers.
FutureSmart permits customers to work and configure printers both from a management panel accessible on the printer or from an online browser for distant entry.
On this case, the knowledge disclosure flaw may permit an attacker to entry delicate info transmitted between the weak HP printers and different units on the community.
BleepingComputer has contacted HP to be taught extra concerning the actual influence of the flaw and if the seller has seen indicators of lively exploitation however we acquired no assertion at publishing time.
The next printer mannequin are affected by CVE-2023-1707:
- HP Shade LaserJet Enterprise M455
- HP Shade LaserJet Enterprise MFP M480
- HP Shade LaserJet Managed E45028
- HP Shade LaserJet Managed MFP E47528
- HP Shade LaserJet Managed MFP E785dn, HP Shade LaserJet Managed MFP E78523, E78528
- HP Shade LaserJet Managed MFP E786, HP Shade LaserJet Managed Movement MFP E786, HP Shade LaserJet Managed MFP E78625/30/35, HP Shade LaserJet Managed Movement MFP E78625/30/35
- HP Shade LaserJet Managed MFP E877, E87740/50/60/70, HP Shade LaserJet Managed Movement E87740/50/60/70
- HP LaserJet Enterprise M406
- HP LaserJet Enterprise M407
- HP LaserJet Enterprise MFP M430
- HP LaserJet Enterprise MFP M431
- HP LaserJet Managed E40040
- HP LaserJet Managed MFP E42540
- HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
- HP LaserJet Managed MFP E731, HP LaserJet Managed Movement MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Movement MFP E73130/35/40
- HP LaserJet Managed MFP E826dn, HP LaserJet Managed Movement MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70
HP says a firmware replace that addresses the vulnerability will probably be launched inside 90 days, so there’s at present no repair accessible.
The beneficial mitigation for patrons working FutureSmart 5.6 is to downgrade their firmware model to FS 220.127.116.11.
Customers are beneficial to supply the firmware bundle from HP’s official download portal, the place they’ll choose their printer mannequin and get the related software program.