HP Releases Security Updates for Critical Vulnerabilities in HP Print and Digital Sending Products

HP releases security updates to address four vulnerabilities, three of which are rated as critical, affecting multiple products

Threat ID:: CC-4063
Threat Severity:: Information only
Published:: 23 March 2022 1:05 PM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

HP releases security updates to address four vulnerabilities, three of which are rated as critical, affecting multiple products

Affected platforms

The following platforms are known to be affected:

HP LaserJet

HP OfficeJet

HP PageWide

HP ScanJet

HP Digital Sender Flow 8500 fn2

HP DeskJet

HP DesignJet

The following platforms are also known to be affected:

Multiple models within these product lines are affected. Please refer to HP's Security Bulletins HPSBPI03780 and HPSBPI03781 for a detailed list of affected products.

Threat details

Introduction

HP has released two security bulletins for four vulnerabilities, including three with a critical severity rating, affecting a range of HP Print and Digital Sending products.

The first security bulletin is for CVE-2022-3942, which has a CVSS score of 8.4 but is rated as critical by HP. CVE-2022-3942 is a buffer overflow and remote code execution (RCE) vulnerability relating to the use of Link-Local Multicast Name Resolution or LLMNR.

The second security bulletin is for CVE-2022-24292 and CVE-2022-24293, both of which have critical CVSS ratings of 9.8, and a third vulnerability, CVE-2022-24291, which has a high CVSS rating of 7.8. Devices affected by these could be vulnerable to information disclosure, denial-of-service (DoS) and RCE.

Remediation advice

Affected organisations are advised to review HP's Security Bulletins below and apply any necessary updates. To obtain the updated firmware listed in the Security Bulletins, HP advise visiting their Software and Driver Downloads page which can be searched by printer model.

At the time of publication, security bulletin HPSBPI03781 advises that remediation is pending for HP Color LaserJet Pro MFP M2XX.

NOTE: HP's security bulletin, HPSBPI03780, also suggests that the issue relating to CVE-2022-3942 may be mitigated in certain HP Enterprise and HP LaserJet Pro printers by disabling LLMNR in network settings. HP provide guidance on how to apply this mitigation by disabling unused network protocols and features using Embedded Web Server (EWS). Organisations considering these mitigations are urged to be cautious and carry out an impact assessment before applying any changes to settings.

Remediation steps

Type	Step
Patch	Certain HP Print Products, Digital Sending Products - Potential remote code execution and buffer overflow - HPSBPI03780 https://support.hp.com/us-en/document/ish_5948778-5949142-16/hpsbpi03780
Patch	Certain HP Print Products – Potential information disclosure, denial of service, remote code execution - HPSBPI03781 https://support.hp.com/us-en/document/ish_5950417-5950443-16/hpsbpi03781

Definitive source of threat updates

CVE Vulnerabilities

CVE-2022-3942

CVE-2022-24291

CVE-2022-24292

CVE-2022-24293

Last edited: 23 March 2022 3:05 pm