Hewlett Packard has published information about three critical RCE vulnerabilities affecting hundreds of HP printer models: LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet.
Security Bulletin 1 warns of a buffer overflow vulnerability that could allow remote code execution on an affected machine. The issue, identified as CVE-2022-3942, was reported by the Trend Micro Zero Day Initiative team. Although the vulnerability is rated 8.4 out of 10 on the CVSS scale, HP engineers consider it critical.
HP has already prepared patches for most vulnerable products, and for models that have not received fixes, the company recommends disabling LLMNR (Link-Local Multicast Name Resolution) in the network settings.
The second security bulletin warns of two critical and one serious vulnerabilities that can be used for information disclosure, remote code execution and denial of service. These vulnerabilities are identified as CVE-2022-24291 (CVSS score 7.5), CVE-2022-24292 (CVSS score 9.8), and CVE-2022-24293 (CVSS score 9.8). They, too, were discovered by Zero Day Initiative analysts.
In this case, it is also recommended to update the firmware of the affected printer to the latest version, however, patches are not available for all affected models. For example, there are currently no recommendations for troubleshooting at all for one of the LaserJet Pro models. Updates for it are promised to be released in the nearest future, but the exact dates are not known.
Although there is still very little technical details about recent bugs, the consequences of exploiting vulnerabilities related to remote code execution and information disclosure, as a rule, are very serious. Therefore, it is recommended to install fresh patches as soon as possible.
Let me remind you that we talked about HP Fixed Critical Potential Worm Vulnerability in 150 Printer Models, and also that Brother printers may not work in Windows 11.