Even if you don’t own HP printers, news like today’s should be read by everyone. HP recently released firmware updates for a myriad of printers. The reason? All of these printers include two vulnerabilities. These vulnerabilities provide attackers with simple ways to not only take over the device but also attack the network from the inside.
Affected HP Printers
The list of affected printers is so extensive that we won’t list them here. You can see the list in its entirety on the security bulletin directly from HP. The affected product lines include HP DeskJet, Envy, OfficeJet, DesignJet, and Pagewide Pro printers.
What Can Happen?
According to HP, “Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.” What exactly does that mean?
One of the security flaws only requires an attacker to send a fax to an all-in-one HP printer from the outside. Once the printer attempts to answer the line and accept the fax, the printer executes malicious code included within the inbound file. At this point, the attacker can take over the entire machine and use it as a springboard for attacking other devices.
How Bad Is It?
The National Institute of Standards and Technology (NIST) uses a scoring system to rate vulnerabilities on a scale of 0-10. 0 represents no threat at all, while 10 is rated as a critical threat. Both vulnerabilities scored a 9.8 on this scale. This ranks as a critical vulnerability, the highest threat level on NIST’s scale. For comparison, the Meltdown and Spectre vulnerabilities discovered earlier this year only scored a 5.6 on this scale.
What Should I Do?
The firmware patches provided by HP will eliminate the risk. Check with your IT staff or IT company, and make sure they’ve installed the latest firmware on your printers. This advice applies to all devices and not just HP printers. Earlier this month, we released a similar article about a security flaw in security cameras. Each device connected to your network provides another potential avenue of attack. Consequently, all devices on your network need to be monitored and kept up-to-date.
Keeping all network devices updated and secure takes time. If you don’t have full-time IT staff, or they could use some help, contact us today. Our managed IT service provides your network with a line of defense and a crew to monitor devices. We worry about your IT security, so you don’t have to. Request a free consultation to get started.