HP offered a $100,000 cash prize to researchers who could find vulnerabilities in its printer products just days ago, and it seems that two particular reports caught their attention as the company has released firmware updates for two critical bugs. HP warns that hundreds of its Inkjet printers are vulnerable to two remote code execution vulnerabilities. Users should update their firmware immediately to mitigate the consequences of these severe grade vulnerabilities.
According to HP’s Support Communication Security Bulettin, a maliciously crafted file sent to the affected HP printers can cause a stack or static buffer overflow which could pave way for remote code execution. The security labels assigned to these vulnerabilities are CVE-2018-5924 and CVE-2018-5925. Both vulnerabilities have received critical CVSS 3.0 base scores of 9.8 each.
HP takes pride in being the only company that hands out such grand awards for the discovery of vulnerabilities in its printer line. Upon the incident report (however and whenever that may have been), HP’s team worked diligently to release updates to mitigate the risks posed. The executives at HP have released statements of pride towards the effort of their team and the performance track record of their firm.
It is unclear whether these vulnerabilities were reported through the program or whether HP was aware of them before hand. The timing, however, only makes it appear as though this is the outcome of the bounty hunt. Irrespective, HP has stood its ground as the self-proclaimed “world’s most secure printing” provider by releasing patches well before any exploit of the known vulnerabilities.
A list of 166 personal use and enterprise network connected printer types and models affected is published at the bottom of HP’s security bulletin release. These models include a wide array of the OfficeJet, DeskJet, Envy printers, DesignJet, and PageWide Pro devices. Associated firmware updates have also been listed beside the model numbers. HP printer owners are requested to update their firmware immediately to avoid risking the consequences of the two remote code execution vulnerabilities.