HP plugs critical RCE flaws in InkJet printers
HP has plugged two critical vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging users to implement the provided firmware updates as soon as possible.
The vulnerabilities, discovered and reported by a still unnamed third-party researcher, can be triggered via a maliciously crafted file sent to an affected device. Such a file can cause a stack or static buffer overflow, which could allow remote code execution.
The list of affected devices is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet and Envy product lines.
Updates can be downloaded and installed directly from the printer or from the HP website (instructions on how to do it can be found here).
HP’s print security bug bounty program
The company did not mention whether the vulnerabilities it plugged were flagged as part of the newly revealed bug bounty program it launched with Bugcrowd in May, but it’s likely that they were.
For the moment, the program is still private.
According to CSO Online, 34 researchers were invited to participate in it. They have been told to limit their efforts to endpoint devices (all HP enterprise printers) and to concentrate on firmware-level vulnerabilities, including remote code execution, cross-site request forgery (CSRF) and cross-site scripting (XSS) flaws.
Vulnerability reporting is to be done through Bugcrowd, which will verify bugs and reward researchers based on the severity of the flaw and awards up to $10,000.
“Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment,” HP noted.
Shivaun Albright, HP’s Chief Technologist of Print Security, said that the company is already keeping security in mind while developing printers, but they want to see whether they have missed anything.
Citing Bugcrowd’s most recent State of Bug Bounty Report, HP pointed out that the top emerging attackers are focused on endpoint devices, and the total print vulnerabilities across the industry have increased 21 percent during the past year.