November 23, 2017
The OEM is releasing the firmware patch after a raft of security bugs were found by experts.
HP Inc. are to respond to various security bugs reported to the company by cybersecurity experts recently with the release of new firmware patches, reports BleepingComputer.
The patches will address a range of bugs, the most severe of which is a remote code execution (RCE) flaw affecting HP’s enterprise printer series including the LaserJet and PageWide, as well as some OfficeJet and ScanJet models.
The announcement comes after HP previously boasted about the security of its printers, with marketing campaigns highlighting it specifically, and HP adding technologies such as Runtime Intrusion Detection, HP Sure Start, and Whitelisting. The OEM even hiring actor Christian Slater to promote HP’s advanced security and anti-hacking measures.
Prompted by this campaign, experts from FoxGlove Security “decided to take a jab” at getting through the printer defences, using a custom-made tool called PRET (Printer Exploitation Toolkit), which automates local, network, and remote attacks on printers using known vulnerabilities.
As well as the RCE bug, FoxGlove discovered several more defects, ranging from a design flaw allowing attackers to extract firmware images, to an unsecured factory reset function, giving hackers the ability to reset the printer’s admin password to default – not having a password.
The researchers also found that, owing to the design of HP printer settings panels, security-related settings are deep within the menus, making it arguably more laborious for owners to fully secure their devices.
System administrators using networks including HP printers should look out for the firmware update this week. A full list of the affected products is available in HP’s Security Advisory.
Categories : Products and Technology