A couple of new critical security flaws were found in HP printers.
CVE-2018-5924, CVE-2018-5925 in HP Printers
One of the vulnerabilities resides in the firmware of certain HP printers, and it has been classified as very critical. This vulnerability is known as CVE-2018-5924 and affects an unknown function. What is known is that the manipulation with an unknown input leads to a memory corruption flaw. The second vulnerability, CVE-2018-5925, appears to be related to the first one.
How can an attack take place? As explained by HP, “a maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution”.
Fortunately, HP has already provided firmware updates for the affected products, such as Pagewide Pro, DesignJet, OfficeJet, DeskJet and Envy printers.
To obtain the updated firmware, users are urged to go to the HP Software and Drivers page for the particular product, find the firmware update from the list of available software, and follow the instructions.
Just last week, HP announced it will be inviting white hat hackers to test its printers for bugs that hackers could exploit for malicious purposes. The one-of-a-king bug bounty program is launched in partnership with bug bounty platform Bugcrowd.
According to a 2018 report by Bugcrowd, endpoint devices are increasingly targeted by malicious actors, with a 21 percent increase in total endpoint bugs reported in the last year. Thus, HP decided to launch a printer-only vulnerability disclosure program encouraging researchers to discover and report bugs.
Depending on the scale of the vulnerability, bug bounties will vary between $500 and $10,000.