Hundreds of HP printers affected by critical security issues
HP published two security bulletins that inform customers about critical security issues affecting hundreds of the company's printer models. Firmware updates that patch the security issues are available for some printer models but not for all.
The first security bulletin confirms that certain HP printer models are affected by critically rated security issue CVE-2022-3942. The remote code execution and buffer overflow issue uses Link-Local Multicast Name Resolution (LLMNR). The issue is rated 8.4 out of 10.
HP created firmware updates for some of the affected printer models and released mitigation instructions for others. Models of the following printer families are affected by the vulnerability according to HP:
- HP Color LaserJet Enterprise
- HP Color LaserJet Managed
- HP Digital Sender Flow
- HP LaserJet Enterprise 500
- HP LaserJet Enterprise Color Flow
- HP LaserJet Managed Flow
- HP LaserJet Enterprise Flow
- HP LaserJet Enterprise 600
- HP LaserJet Enterprise 700
- HP LaserJet Enterprise
- HP OfficeJet Enterprise Color
- HP PageWide Color
- HP PageWide Enterprise Color
- HP PageWide Enterprise Color Flow
- HP PageWide Managed Color
- HP Scanjet Enterprise 8500
- HP ScanJet Enterprise Flow
- HP Color LaserJet Pro
- HP LaserJet
- HP LaserJet Pro
- HP PageWide
- HP PageWide Pro
- HP PageWide Managed
- HP DeskJet
- HP DeskJet Ink Advantage
- HP DeskJet Plus
- HP DeskJet Plus Ink Advantage
- HP OfficeJet Pro
- HP DesignJet Z6+ Pro
- HP DesignJet Z9+ Pro
- HP DesignJet
- HP DesignJet XL
- HP PageWide XL
HP owners and system administrators should check the published table to find out if printers that are in use in the home, business or enterprise environment are affected. Firmware updates are available for some of the printer models, for others, mitigations are provided to disable LLMNR.
- HP Color LaserJet Pro - Disable unused network protocols and features using the Embedded Web Server (EWS)
- HP LaserJet Enterprise, HP PageWide Enterprise - Disable unused network protocols and features (EWS)
Second HP security bulletin
The second security bulletin lists three vulnerabilities: CVE-2022-24291 with a rating of 7.5 and a severity of high, CVE-2022-24292 with a rating of 9.8 and a severity of critical, and CVE-2022-24293 with a rating of 9.8 and a severity of critical.
HP notes that the issue can be fixed by installing a new firmware version that HP released. The list of affected products is smaller:
- HP Color LaserJet Pro
- HP PageWide
- HP PageWide Managed
- HP OfficeJet Pro
Firmware is available for all affected printer models with the exception of HP Color LaserJet Pro MFP M2XX, which is listed as "remediation pending".
Closing Words
HP customers who operate affected printer models should consider upgrading the firmware immediately or apply the workaround to protect systems and data from attacks targeting the vulnerabilities.
Now You: do you operate one of the affected printer models? (via Bleeping Computer)
Friends don’t let friends use HP printers. Their stuff (like most) has been going downhill for years. My still working HP Laserjet 1100 can pump out paper just as fast as current laser printers at high quality despite being 20+ years old. A cheap parallel-to-USB cable keeps it compatible with everything. Aside from the toner I’ve only needed to replace the paper roller, which was too worn out to grip the paper anymore, but even then that just meant I had to feed the paper one at a time, which was a pain but it still worked! Current HP trash refuses to work even with cartridges half full of ink and toner. It’s a sham.
always when I surfing the websites support of HP Inc. The browser notify me that connection is insecure. May be the firmware problem are related with this.
We stopped buying HP long ago. Switched to Brother and much happier.
We switched to a Brother laser printer as well years ago and never looked back. It just works, no issues so far.
Brother works. It has better Linux support than Canon.
I’m glad you are happy with the Brother brand. I, too, moved to Brother out of frustration with the other major brands. My first Brother was awesome. But the next one was good, but did not last very long (about the length of the warranty). The last one never really worked right in the first place. So now I am giving up on that brand, too.
Has anyone tested HP’s with the new firmware? Can they use after market ink?
@GoodMeasure, no problem here after updated my HP Deskjet 2600 series, it’s quite simple to install with HP Smart app from MS Store, “config printer” button, and then update firmware. :]
And just like 99% of ‘security issues’ it will not affect the ones complaining about it.
I mean, obviously bad people want to use this vulnerabilities to hack your useless information.
Also security issues doesn’t equal that the printers are useless to print, also, this is about ‘internet features’ which means, if you don’t want vulnerabilities, just don’t plug them to internet or use their wifi/wireless features if you don’t need to (like having your computer next to it).
I mean, apparently some people don’t do anything useful in their lives so they don’t understand printers are still needed in many sectors like something simple as printing shipping labels to anything industry packaging, publishing, advertising related, and all that.
Of course, clueless egocentric people who think the world goes around them will say “printers are useless”, laughable people.
For anyone updating the the HP firmware, PLEASE report if that is causing non-official HP ink cartridges to stop working. Especially for Office Jet Pro!
I got burned by that before…
@Anonymous:
“For anyone updating the the HP firmware, PLEASE report if that is causing non-official HP ink cartridges to stop working.”
That was *my* first thought the instant I saw “firmware updates” mentioned in the article. It’s not like HP hasn’t done it before.
Thanks @Martin, I have updated here firmware of one HP Deskjet 2600 series. :]
Wow. Office admins may be late for supper tonight.
Less a hassle for home users.
An as good as old HP LaserJet 1018 here : not affected.
And my 30-year old HP LaserJet 6P isn’t affected…
Hey, you, copyright-breaking Arne Anka. Wearing a fake bill still? :)
(Read up on the poor Swedish underground cartoonist that drew the ire of Disney. Anka=Duck and guess the rest.)
Kudos for seriously old printer. Only 1010 here, 16 years old.
@Henk
Good analysis, Henk.
+HP printers
are pain to install in Linux pcs…
Hate them!.
If ever needed,
my next printer / scanner
will NOT be an HP.
I manage well,
sending + recv’g + storing PDFs.
Plus,
we all help by saving
millions of badly-needed Trees.
(remember: less paper = less CO2).
Pity.
HP was born
as a legendary and pioneer Silicon Valley firm.
Now,
their products are subpar,
in both quality and easy of use.
Just my opinion.
I ditched my last printer years ago. How many of these security-plagued HP printers will eventually be replaced by new ones? Allow me some musing…
According to recent market research, in my country (NL) 68% of households still have a printer, meaning that almost one-third is now printerless. I could not find longer-term prognostic research, but I assume that the number of printerless households keeps slowly but steadily rising, as there are ever less compelling reasons to actually print out things.
A recent market survey by a UK cartridge seller firm shows that only 25% of home printer owners will print something everyday, about 50% will print something at least once a week. Meaning that at home, most printers stand idle most of the time.
Interestingly, they also looked at what those home printers were used for. Not surprisingly, by far the most popular use was for “Business/Working From Home” (28%). The second most popular use was, somewhat more surprisingly, “Letters/Keeping In Touch” (19%).
To me, these two major uses of printers indicate (more or less) the two most important groups of people who still use a printer at home: (a) the from-home workers who need to produce some formal office paperwork, and (b) the elderly who still want (or need) to rely on paper for communication.
As the latter group will gradually get smaller, and for the first group the role of formal printouts-on-paper in businesses will continue to get smaller, my prediction is that in about ten years from now, the home printer will be almost extinct. A relic from the past.
The only kinds of home printer that may survive in the long run, will be those specialized high-quality ones that people can and will actually use for a hobby: like for creating artwork (now 10% of home use) or printing photos (now 12% of home use).
If I were HP, I would not only worry about security issues. I would think even more about ways of diversification.
That’s a good point. Obviously the only thing HP makes are printers are cartridges of ink and toner. They don’t also sell computers, laptops, monitors, and peripherals including a VR headset. They should really look into those things.
Here my sarcasm-detection fails. Anyway, how about non-diversification: keeping to printers. 3D anyone?
Thank God this doesn’t affect me although all my 4 printers are listed, but I am running a supported Windows 11 with TPM 2.0 so my computers are all safeguarded, Fort Knox-level times TEN. Thank you Microsoft! I don’t need any HP firmware updates.
Yeah keep thankinf Microsoft for those automatic updates, you’ll learn when it affects you soon….
…should we tell him?
Maybe he’s being sarcastic.
Looking at username: sarcasm detected.
No.
Sometimes it’s better for us to learn the hard, painful, expensive way.
Ironically, we keep our HP printer turned off until we actually want to print something because it has this always on lighting that can not be disabled that we find annoying.
Same here with our Officejet Pro. Also I use after market ink that is super inexpensive. I have no doubt the HP firmware update would “fix” that problem too. I’ll take my chances, along with offline image backups for my computers.
@michilin
We recently bought a new HP printer. The ink in cost 60% less!
(It’s physically the exact same ink cartrdige, It just has a different sticker on it)
The original firmware in my printer did not allow me to use aftermarket ink. Evidently enough consumers complained and HP put out a firmware update that allowed aftermarket ink to be used. Soon after, HP had a change of heart and issued another firmware update within months. I discovered that firmware would have reversed the previous and once again prevented aftermarket ink from being used.
I bought my current HP OfficeJet Pro 6978 All-in-One in 2017 brand new for $65. That was a bargain and now the ink I buy is also. I use the scanner more than the printer these days.