HP Ink Printers Remote Code Execution: c06097712

Topic

New Reply

SUPPORT COMMUNICATION- SECURITY BULLETIN
Document ID: c06097712
Version: 4

HPSBHF03589 rev. 4 – HP Ink Printers Remote Code Execution
Notice:: The information in this security bulletin should be acted upon as soon as possible.

Release date : 01-Aug-2018 | Last updated : 13-Aug-2018

Potential Security Impact:
Reported by: TBA

VULNERABILITY SUMMARY
Two security vulnerabilities have been identified with certain HP Inkjet printers. A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.
Reference Number
CVE-2018-5924, CVE-2018-5925, PSR-2018-0072
…
RESOLUTION
HP has provided firmware updates for impacted printers as set forth in the table below. To obtain the updated firmware, go to the HP Software and Drivers page for your product and find the firmware update from the list of available software.

(Listed: Product Name, Product Number, Firmware Revision)

Third Party Security Patches: Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer’s patch management policy.

 
Read the full Security Bulletin here

2 users thanked author for this post.

Lori, Elly

Reply | Quote

Replies

See also: Hackers can steal data from the enterprise using only a fax number

1 user thanked author for this post.

Elly

Reply | Quote

I have an HP Envy 4500 series printer (product no. A9T80A) which is one of the affected models listed in that bulletin. Though the HP envy 4500 printer actually updated the firmware by itself in early August 2018 to version 1828A through a wireless internet connection via a HP web services – without me having to perform the update. nice

On the other hand, there was a firmware update listed for my family’s HP Envy Photo 7800 series printer on its software & drivers page, however the HP Envy Photo 7800 printer is not listed as one of the affected printers in the recent HP security bulletin. I did try to update the firmware on the Envy Photo 7800 but it failed to update. Luckily, the bad firmware update did not brick the printer.

Some people are having some problems updating the firmware on some of the affected printers as I am checking the HP forums myself.

Reply | Quote

quick update: It looks like the firmware update to the HP Envy Photo 7800 series printer (product # K7S08A) got automatically pushed through HP web services with a wireless internet connection earlier today, without any user intervention.

I love it when these new HP printers update themselves

Reply | Quote

From @Kirsty ‘s original post at the start of this thread:

To obtain the updated firmware, go to the HP Software and Drivers page for your product and find the firmware update from the list of available software.

Once you’ve downloaded the file that contains the revised firmware, do yourself a favor, and don’t just double click it to run it.

Instead, do the following before downloading the revised firmware:

1. Make sure your printer/multifunction device is indeed turned on.

2. Go into “Devices and Printers” in Control Panel (both Windows 7 and 10) and make sure the device you want to update is seen in that list as “Ready” and not “Offline”. How do you find this out? Easy! Just hover the mouse over the icon representing the device you want to update, and the info will appear over the icon within a couple of seconds. While viewing this info, you also want to make sure there are no documents pending in the device’s queue. If the printer is on a network for several folks to share, make sure everyone knows not to try printing anything on the device in question until the firmware update is complete. The updater will tell you when it’s done and the device may even print out a special page with some rather “geeky” looking firmware update info.

3. Now that you’ve successfully performed the first two steps, go ahead and download the file and run it.

The printer/multifunction device needs to be on and ready to receive data in order for the firmware update to succeed. The first two steps above help ensure that this is the case. The firmware update doesn’t update drivers within Windows for the device, instead it updates the software within the device itself, and it does that via the computer’s connection to the device, be it a WiFi connection, USB cable or Ethernet (wired network) connection.

I listed the first step because, although it may seem like a very obvious step that may not even be necessary in normal every-day computing, I’ve seen plenty of people try to print something and be unable to simply because the printer didn’t have any electrical power to it from being turned off or being unplugged. This includes seeing a few computer support department folks go through some deep troubleshooting within Windows trying to fix printing problems that wound up being due to the printer not having electrical power or being turned off. They didn’t feel so great when they found out the printer wasn’t on in the first place.

I sincerely hope this helps anyone who’s never had to update firmware on their computer or other devices before.

1 user thanked author for this post.

Elly

Reply | Quote