HP has plugged important vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting many of its InkJet printers and is urging customers to put in force the provided firmware updates as soon as possible.
HP InkJet printer vulnerabilities
The vulnerabilities, found and reported by a still-unnamed third-birthday celebration researcher, may be brought about through a maliciously crafted document despatched to an affected tool. Such a document can reason a stack or static buffer overflow that can permit far-flung code execution.
The list of affected gadgets is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet, and Envy product strains.
Updates may be downloaded and mounted at once from the printer or the HP internet site (instructions on how to do it may be observed here).
HP’s print security malicious program bounty application
The organization did now not mention whether the vulnerabilities it plugged have been flagged as part of the newly found out bug bounty program it released with Bugcrowd in May. However, it’s in all likelihood that they were.
For an instant, this system continues to be personal.
According to CSO Online, 34 researchers had been invited to take part in it. They have been informed to limit their efforts to endpoint devices (all HP organization printers) and to pay attention to firmware-level vulnerabilities, together with remote code execution, pass-web site request forgery (CSRF), and pass-website online scripting (XSS) flaws.
Vulnerability reporting is to be completed via Bugcrowd to verify insects and reward researchers primarily based on the flaw’s severity and awards as much as $10,000.
“Reporting a vulnerability previously located by HP might be assessed, and a reward can be supplied to researchers as a terrific faith payment,” HP referred to.
Shivaun Albright, HP’s Chief Technologist of Print Security, stated that the agency is already keeping security in thoughts while growing printers. However, they need to peer whether or not they’ve neglected something.
Citing Bugcrowd’s latest State of Bug Bounty Report, HP said that the pinnacle emerging attackers are focused on endpoint gadgets, and the full print vulnerabilities throughout the industry have multiplied 21 percentage all through the beyond the year.