HP has published notices regarding dangerous vulnerabilities affecting hundreds of models of LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format and DeskJet printers.
The first bulletin warns of a buffer overflow vulnerability that could lead to remote code execution on a vulnerable device. The vulnerability (CVE-2022-3942) was reported by the Trend Micro Zero Day Initiative team.
Despite the fact that the problem received a score of 8.4 points on the CVSS scale, HP assessed the danger of the problem as critical.
HP has released firmware updates for most of the vulnerable products. For models without a fix, the company provided measures to prevent exploitation of vulnerabilities related to disabling LLMNR (Link-Local Multicast name resolution) in network settings.
Instructions for disabling unused network protocols using the Integrated Web Server (EWS) for LaserJet Pro are available here. Other product categories can follow the guide published here.
The second security bulletin from HP warns of two critical and one dangerous vulnerabilities that can be used for information disclosure, remote code execution and denial of service. Vulnerabilities CVE-2022-24291 (7.5 points on the CVSS scale), CVE-2022-24292 (9.8 points on the CVSS scale) and CVE-2022-24293 (9.8 points on the CVSS scale) were also discovered by Zero Day Initiative specialists.
Although few details about these vulnerabilities have been published, the consequences of remote code execution and information disclosure are usually far-reaching and potentially catastrophic. Therefore, users are strongly advised to install security updates as soon as possible and introduce remote access restriction policies.