Hundreds of HP printers affected by critical security issues

Martin Brinkmann
Mar 23, 2022
Security
|
28

HP published two security bulletins that inform customers about critical security issues affecting hundreds of the company's printer models. Firmware updates that patch the security issues are available for some printer models but not for all.

scr laserjet pro ews network settings

The first security bulletin confirms that certain HP printer models are affected by critically rated security issue CVE-2022-3942. The remote code execution and buffer overflow issue uses Link-Local Multicast Name Resolution (LLMNR). The issue is rated 8.4 out of 10.

HP created firmware updates for some of the affected printer models and released mitigation instructions for others. Models of the following printer families are affected by the vulnerability according to HP:

ADVERTISEMENT
  • HP Color LaserJet Enterprise
  • HP Color LaserJet Managed
  • HP Digital Sender Flow
  • HP LaserJet Enterprise 500
  • HP LaserJet Enterprise Color Flow
  • HP LaserJet Managed Flow
  • HP LaserJet Enterprise Flow
  • HP LaserJet Enterprise 600
  • HP LaserJet Enterprise 700
  • HP LaserJet Enterprise
  • HP OfficeJet Enterprise Color
  • HP PageWide Color
  • HP PageWide Enterprise Color
  • HP PageWide Enterprise Color Flow
  • HP PageWide Managed Color
  • HP Scanjet Enterprise 8500
  • HP ScanJet Enterprise Flow
  • HP Color LaserJet Pro
  • HP LaserJet
  • HP LaserJet Pro
  • HP PageWide
  • HP PageWide Pro
  • HP PageWide Managed
  • HP DeskJet
  • HP DeskJet Ink Advantage
  • HP DeskJet Plus
  • HP DeskJet Plus Ink Advantage
  • HP OfficeJet Pro
  • HP DesignJet Z6+ Pro
  • HP DesignJet Z9+ Pro
  • HP DesignJet
  • HP DesignJet XL
  • HP PageWide XL

HP owners and system administrators should check the published table to find out if printers that are in use in the home, business or enterprise environment are affected. Firmware updates are available for some of the printer models, for others, mitigations are provided to disable LLMNR.

Second HP security bulletin

The second security bulletin lists three vulnerabilities: CVE-2022-24291 with a rating of 7.5 and a severity of high, CVE-2022-24292 with a rating of 9.8 and a severity of critical, and CVE-2022-24293 with a rating of 9.8 and a severity of critical.

HP notes that the issue can be fixed by installing a new firmware version that HP released. The list of affected products is smaller:

  • HP Color LaserJet Pro
  • HP PageWide
  • HP PageWide Managed
  • HP OfficeJet Pro

Firmware is available for all affected printer models with the exception of HP Color LaserJet Pro MFP M2XX, which is listed as "remediation pending".

Closing Words

HP customers who operate affected printer models should consider upgrading the firmware immediately or apply the workaround to protect systems and data from attacks targeting the vulnerabilities.

Now You: do you operate one of the affected printer models? (via Bleeping Computer)

Summary
Hundreds of HP printers affected by critical security issues
Article Name
Hundreds of HP printers affected by critical security issues
Description
HP published two security bulletins that inform customers about critical security issues affecting hundreds of the company's printer models.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Previous Post: «
Next Post: «

Comments

  1. Tachy said on March 23, 2022 at 2:03 pm
    Reply

    Ironically, we keep our HP printer turned off until we actually want to print something because it has this always on lighting that can not be disabled that we find annoying.

    1. michlin said on March 23, 2022 at 2:12 pm
      Reply

      Same here with our Officejet Pro. Also I use after market ink that is super inexpensive. I have no doubt the HP firmware update would “fix” that problem too. I’ll take my chances, along with offline image backups for my computers.

      1. Tachy said on March 23, 2022 at 3:37 pm
        Reply

        @michilin

        We recently bought a new HP printer. The ink in cost 60% less!

        (It’s physically the exact same ink cartrdige, It just has a different sticker on it)

      2. michlin said on March 24, 2022 at 10:34 pm
        Reply

        The original firmware in my printer did not allow me to use aftermarket ink. Evidently enough consumers complained and HP put out a firmware update that allowed aftermarket ink to be used. Soon after, HP had a change of heart and issued another firmware update within months. I discovered that firmware would have reversed the previous and once again prevented aftermarket ink from being used.

        I bought my current HP OfficeJet Pro 6978 All-in-One in 2017 brand new for $65. That was a bargain and now the ink I buy is also. I use the scanner more than the printer these days.

  2. Microsoft is superior said on March 23, 2022 at 2:23 pm
    Reply

    Thank God this doesn’t affect me although all my 4 printers are listed, but I am running a supported Windows 11 with TPM 2.0 so my computers are all safeguarded, Fort Knox-level times TEN. Thank you Microsoft! I don’t need any HP firmware updates.

    1. Anonymous said on March 23, 2022 at 2:51 pm
      Reply

      …should we tell him?

      1. Anonymous said on March 23, 2022 at 4:18 pm
        Reply

        No.
        Sometimes it’s better for us to learn the hard, painful, expensive way.

      2. vanp said on March 24, 2022 at 5:11 am
        Reply

        Maybe he’s being sarcastic.

      3. JoSi said on March 25, 2022 at 3:53 pm
        Reply

        Looking at username: sarcasm detected.

    2. Anonymous said on September 16, 2022 at 9:36 pm
      Reply

      Yeah keep thankinf Microsoft for those automatic updates, you’ll learn when it affects you soon….

  3. Henk said on March 23, 2022 at 2:44 pm
    Reply

    I ditched my last printer years ago. How many of these security-plagued HP printers will eventually be replaced by new ones? Allow me some musing…

    According to recent market research, in my country (NL) 68% of households still have a printer, meaning that almost one-third is now printerless. I could not find longer-term prognostic research, but I assume that the number of printerless households keeps slowly but steadily rising, as there are ever less compelling reasons to actually print out things.

    A recent market survey by a UK cartridge seller firm shows that only 25% of home printer owners will print something everyday, about 50% will print something at least once a week. Meaning that at home, most printers stand idle most of the time.

    Interestingly, they also looked at what those home printers were used for. Not surprisingly, by far the most popular use was for “Business/Working From Home” (28%). The second most popular use was, somewhat more surprisingly, “Letters/Keeping In Touch” (19%).

    To me, these two major uses of printers indicate (more or less) the two most important groups of people who still use a printer at home: (a) the from-home workers who need to produce some formal office paperwork, and (b) the elderly who still want (or need) to rely on paper for communication.

    As the latter group will gradually get smaller, and for the first group the role of formal printouts-on-paper in businesses will continue to get smaller, my prediction is that in about ten years from now, the home printer will be almost extinct. A relic from the past.

    The only kinds of home printer that may survive in the long run, will be those specialized high-quality ones that people can and will actually use for a hobby: like for creating artwork (now 10% of home use) or printing photos (now 12% of home use).

    If I were HP, I would not only worry about security issues. I would think even more about ways of diversification.

    1. Cassette said on March 25, 2022 at 9:22 am
      Reply

      That’s a good point. Obviously the only thing HP makes are printers are cartridges of ink and toner. They don’t also sell computers, laptops, monitors, and peripherals including a VR headset. They should really look into those things.

      1. JoSi said on March 25, 2022 at 4:17 pm
        Reply

        Here my sarcasm-detection fails. Anyway, how about non-diversification: keeping to printers. 3D anyone?

  4. tester said on March 23, 2022 at 3:16 pm
    Reply

    @Henk
    Good analysis, Henk.

    +HP printers
    are pain to install in Linux pcs…
    Hate them!.

    If ever needed,
    my next printer / scanner
    will NOT be an HP.
    I manage well,
    sending + recv’g + storing PDFs.

    Plus,
    we all help by saving
    millions of badly-needed Trees.
    (remember: less paper = less CO2).

    Pity.
    HP was born
    as a legendary and pioneer Silicon Valley firm.

    Now,
    their products are subpar,
    in both quality and easy of use.

    Just my opinion.

  5. Tom Hawack said on March 23, 2022 at 4:38 pm
    Reply

    Wow. Office admins may be late for supper tonight.
    Less a hassle for home users.
    An as good as old HP LaserJet 1018 here : not affected.

    1. Arne Anka said on March 23, 2022 at 6:01 pm
      Reply

      And my 30-year old HP LaserJet 6P isn’t affected…

      1. JoSi said on March 25, 2022 at 4:05 pm
        Reply

        Hey, you, copyright-breaking Arne Anka. Wearing a fake bill still? :)
        (Read up on the poor Swedish underground cartoonist that drew the ire of Disney. Anka=Duck and guess the rest.)

        Kudos for seriously old printer. Only 1010 here, 16 years old.

  6. John G. said on March 23, 2022 at 5:49 pm
    Reply

    Thanks @Martin, I have updated here firmware of one HP Deskjet 2600 series. :]

  7. Anonymous said on March 23, 2022 at 7:33 pm
    Reply

    For anyone updating the the HP firmware, PLEASE report if that is causing non-official HP ink cartridges to stop working. Especially for Office Jet Pro!

    I got burned by that before…

    1. Peterc said on March 25, 2022 at 6:15 am
      Reply

      @Anonymous:

      “For anyone updating the the HP firmware, PLEASE report if that is causing non-official HP ink cartridges to stop working.”

      That was *my* first thought the instant I saw “firmware updates” mentioned in the article. It’s not like HP hasn’t done it before.

  8. Bambam said on March 23, 2022 at 8:41 pm
    Reply

    And just like 99% of ‘security issues’ it will not affect the ones complaining about it.
    I mean, obviously bad people want to use this vulnerabilities to hack your useless information.

    Also security issues doesn’t equal that the printers are useless to print, also, this is about ‘internet features’ which means, if you don’t want vulnerabilities, just don’t plug them to internet or use their wifi/wireless features if you don’t need to (like having your computer next to it).

    I mean, apparently some people don’t do anything useful in their lives so they don’t understand printers are still needed in many sectors like something simple as printing shipping labels to anything industry packaging, publishing, advertising related, and all that.
    Of course, clueless egocentric people who think the world goes around them will say “printers are useless”, laughable people.

  9. Anonymous said on March 23, 2022 at 10:19 pm
    Reply

    We stopped buying HP long ago. Switched to Brother and much happier.

    1. Martin Brinkmann said on March 24, 2022 at 6:22 am
      Reply

      We switched to a Brother laser printer as well years ago and never looked back. It just works, no issues so far.

      1. GoodMeasure said on March 24, 2022 at 3:00 pm
        Reply

        I’m glad you are happy with the Brother brand. I, too, moved to Brother out of frustration with the other major brands. My first Brother was awesome. But the next one was good, but did not last very long (about the length of the warranty). The last one never really worked right in the first place. So now I am giving up on that brand, too.

        Has anyone tested HP’s with the new firmware? Can they use after market ink?

      2. John G. said on March 24, 2022 at 7:14 pm
        Reply

        @GoodMeasure, no problem here after updated my HP Deskjet 2600 series, it’s quite simple to install with HP Smart app from MS Store, “config printer” button, and then update firmware. :]

      3. Jim said on March 26, 2022 at 12:41 pm
        Reply

        Brother works. It has better Linux support than Canon.

  10. wiphala said on March 23, 2022 at 11:33 pm
    Reply

    always when I surfing the websites support of HP Inc. The browser notify me that connection is insecure. May be the firmware problem are related with this.

  11. beemeup5 said on March 24, 2022 at 2:33 am
    Reply

    Friends don’t let friends use HP printers. Their stuff (like most) has been going downhill for years. My still working HP Laserjet 1100 can pump out paper just as fast as current laser printers at high quality despite being 20+ years old. A cheap parallel-to-USB cable keeps it compatible with everything. Aside from the toner I’ve only needed to replace the paper roller, which was too worn out to grip the paper anymore, but even then that just meant I had to feed the paper one at a time, which was a pain but it still worked! Current HP trash refuses to work even with cartridges half full of ink and toner. It’s a sham.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.