Three critical RCE flaws affect hundreds of HP printer models

Three critical RCE flaws affect hundreds of HP LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models.

HP issued a security bulletin warning of a buffer overflow vulnerability, tracked as CVE-2022-3942 (CVSS score 8.4), that could lead to remote code execution on vulnerable devices.

“Certain HP Print products and Digital Sending products may be vulnerable to potential remote code execution and buffer overflow with use of Link-Local Multicast Name Resolution or LLMNR.” concludes the advisory.

HP already addressed the flaw with the release of firmware security updates for the majority of the affected devices. HP also published mitigations for this issue, the company suggests disabling LLMNR (Link-Local Multicast Name Resolution).

The IT giant published a separate security bulletin about three vulnerabilities, two rated as critical (CVE-2022-24292 (critical severity score: 9.8), and CVE-2022-24293 (critical severity score: 9.8)) and one as high-severity CVE-2022-24291 (high severity score: 7.5).

“Certain HP Print devices may be vulnerable to potential information disclosure, denial of service, or remote code execution.” reads the bulletin published by HP.

The flaws could be exploited for information disclosure, gain remote code execution, and triggered a denial of service condition respectively.

HP has addressed all the above issues with the release of printer firmware for some of the impacted models.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, RCE)

[adrotate banner=”5″]

[adrotate banner=”13″]