HP has patches for two severe flaws affecting over 166 consumer models and multifunction business printers
Days after launching its printer bug bounty offering up to $10,000 for researchers
to find "obscure defects" in its printers, HP has released two firmware fixes for two severe ink printer bugs. Hundreds of HP Inkjet printers are vulnerable to two critical remote code execution (RCE) vulnerabilities and need to be patched immediately, according to HP's Product Security Response Team (PSRT).
"Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution,"
wrote HP's PSRT in a security bulletin..
By "certain" printers, HP means 166 consumer models and multifunction printers for business that are likely to be connected to computer networks, though it hasn't explained how the buggy printers could be used by criminals or others to more broadly exploit a computer network.
Affected models include various versions of its popular OfficeJet, DeskJet, and Envy printers, as well as DesignJet and PageWide Pro printers.
Using the common vulnerability scoring system
CVSS 3.0 Base Metrics, it's rated the bugs as 9.8 out of a possible 10.
The two RCE bugs are being tracked as CVE-2018-5924 and CVE-2018-5925.