HP Releases Security Updates for Vulnerabilities in Multi-Function Printers

HP has released security updates for vulnerabilities affecting a wide range of printers that could lead to information disclosure or remote code execution

Threat ID:: CC-3984
Threat Severity:: Information only
Published:: 1 December 2021 2:08 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

HP has released security updates for vulnerabilities affecting a wide range of printers that could lead to information disclosure or remote code execution

Affected platforms

The following platforms are known to be affected:

HP LaserJet

HP LaserJet Enterprise

HP LaserJet Managed

Versions: HP PageWide, HP PageWide Managed, and HP Enterprise PageWide

HP PageWide

HP OfficeJet

HP ScanJet

Threat details

Introduction

HP has released security updates to address two vulnerabilities, tracked as CVE-2021-39237 and CVE-2021-39238, in a range of multi-function printers. The vulnerabilities are amongst several others recently discovered, affecting at least 150 multi-function HP printers dating back to 2013.

CVE-2021-39237 has a high severity score (CVSS v3 7.1) and is an information disclosure vulnerability due to exposed physical ports, allowing an attacker to gain full access to the device. Physical access to the device is required to exploit this vulnerability.

CVE-2021-39238 has a critical severity score (CVSS v3 9.3) and is a buffer overflow vulnerability on the font parser. An attacker could exploit this vulnerability to achieve remote code execution (RCE). This vulnerability is potentially ‘wormable’, and successful exploitation could allow an attacker to spread to other devices across the network.

HP has not reported any exploits in the wild targeting these vulnerabilities.

Remediation advice

Affected organisations are encouraged to review HP’s security bulletins (below) and apply the necessary updates to printer firmware.

Remediation steps

Type	Step
Patch	Certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers - Information disclosure https://support.hp.com/gb-en/document/ish_5000124-5000148-16
Patch	Certain HP LaserJet, LaserJet Managed, PageWide, PageWide Managed printers - Potential buffer overflow https://support.hp.com/gb-en/document/ish_5000383-5000409-16

CVE Vulnerabilities

Status Published

CVE-2021-39237

Certain HP LaserJet, HP LaserJet Managed, HP PageWide, and HP PageWide Managed printers may be vulnerable to potential information disclosure.

Status Published

CVE-2021-39238

Certain HP Enterprise LaserJet, HP LaserJet Managed, HP Enterprise PageWide, HP PageWide Managed products may be vulnerable to potential buffer overflow.

Last edited: 1 December 2021 3:16 pm