HP Will Fix Critical Vulnerability in LaserJet Printers in 90 Days

by Emma Davis
April 6, 2023
critical vulnerability in LaserJet
Written by Emma Davis

HP announced that it has discovered a critical vulnerability CVE-2023-1707 that affects about 50 models of HP Enterprise LaserJet and HP LaserJet Managed printers. Interestingly, there is no patch for this vulnerability yet, and the manufacturer promises to fix it in about three months.

The issue was rated 9.1 out of 10 on the CVSS scale, making it critical. But the good news is that exploitation is only possible in a limited context, as affected devices must be running FutureSmart firmware version 5.6 and have IPsec (Internet Protocol Security) enabled. FutureSmart allows users to operate and configure printers either from a control panel available on the device or from a browser via remote access.

Let me remind you that we also wrote that RCE vulnerabilities threaten many HP printer models, and also that HP Fixed Critical Potential Worm Vulnerability in 150 Printer Models.

Additionally, information security specialists reported that Researchers found a vulnerability that affects millions of HP, Xerox and Samsung printers.

Exploitation of a bug may lead to information disclosure. That is, an attacker could gain access to sensitive information transferred between vulnerable HP printers and other devices on the network.

The list of vulnerable devices can be seen below.

  1. HP Color LaserJet Enterprise M455
  2. HP Color LaserJet Enterprise MFP M480
  3. HP Color LaserJet Managed E45028
  4. HP Color LaserJet Managed MFP E47528
  5. HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
  6. HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
  7. HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
  8. HP LaserJet Enterprise M406
  9. HP LaserJet Enterprise M407
  10. HP LaserJet Enterprise MFP M430
  11. HP LaserJet Enterprise MFP M431
  12. HP LaserJet Managed E40040
  13. HP LaserJet Managed MFP E42540
  14. HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
  15. HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
  16. HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70

HP representatives say that a firmware update that fixes the vulnerability will be ready within 90 days, and a patch is not available at this time. Customers running FutureSmart 5.6 are advised to downgrade FutureSmart 5.5.0.3 for now.

The company told Bleeping Computer that the impact of this vulnerability was very limited: the vulnerability was relevant from mid-February 2023 to the end of March 2023, only for the FutureSmart 5 firmware version.

During this short period of time, if the client was using IPsec, scan job data sent from the printer (such as scan-to email or scan-to SharePoint) could potentially be compromised. <..> Credentials could potentially be exposed if they were not protected by TLS or other underlying encryption mechanisms.the company said.
Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

View all posts

Leave a Reply

Sending