HP has plugged important vulnerabilities (CVE-2018-5924, CVE-2018-5925) affecting a lot of its InkJet printers and is urging customers to put in force the provided firmware updates as soon as possible.
HP InkJet printer vulnerabilities
The vulnerabilities, found and reported by means of a still unnamed third-birthday celebration researcher, may be brought about thru a maliciously crafted document despatched to an affected tool. Such a document can reason a stack or static buffer overflow, that can permit far-flung code execution.
The list of affected gadgets is long and encompasses the Pagewide Pro, DesignJet, OfficeJet, DeskJet, and Envy product strains.
Updates may be downloaded and mounted at once from the printer or from the HP internet site (instructions on a way to do it may be observed here).
HP’s print security malicious program bounty application
The organization did now not mention whether the vulnerabilities it plugged have been flagged as part of the newly found out bug bounty program it released with Bugcrowd in May, however it’s in all likelihood that they were.
For the instant, this system continues to be personal.
According to CSO Online, 34 researchers had been invited to take part in it. They have been informed to limit their efforts to endpoint devices (all HP organization printers) and to pay attention to firmware-level vulnerabilities, together with remote code execution, pass-web site request forgery (CSRF) and pass-website online scripting (XSS) flaws.
Vulnerability reporting is to be completed via Bugcrowd, so as to verify insects and reward researchers primarily based at the severity of the flaw and awards as much as $10,000.
“Reporting a vulnerability previously located by HP might be assessed, and a reward can be supplied to researchers as a terrific faith payment,” HP referred to.
Shivaun Albright, HP’s Chief Technologist of Print Security, stated that the agency is already keeping security in thoughts while growing printers, however, they need to peer whether or not they’ve neglected something.
Citing Bugcrowd’s most latest State of Bug Bounty Report, HP talked about that the pinnacle emerging attackers are focused on endpoint gadgets, and the full print vulnerabilities throughout the industry have multiplied 21 percentage all through the beyond year.