Critical flaws in millions of HP OfficeJet Printers will allow attackers to gain control of the printers potentially using it as a springboard into the network it’s connected to.
Check Point researchers announced two critical stack-based buffer overflows vulnerabilities in HP’s implementation of the widely used Group 3 (G3) fax protocols in all its OfficeJet all-in-one inkjet printers at Def Con 2108, according to an Aug. 12 blog post.
Researchers were able to take control of the devices by sending a malicious fax without any prerequisite conditions and then leverage the EternalBlue tool for further network penetration. HP has released patches for both of the vulnerabilities and users are encouraged to update their devices as soon as possible.
Bob Noel, Director of Marketing and Strategic Partnerships for Plixer said the constant stream of new vulnerabilities will never slow down and that any IP connected device on a network creates its own threat surface.
“In most cases they are provisioned onto the network as trusted devices, which means they are allowed to transmit any protocol or application across the network segments for which they have access,” Noel said. “With so many threat surfaces, organizations must do two things to reduce their risk.”
Noel said that first, they much transition to a model of zero trust and then they must begin deploying network traffic analytics to scrutinize the traffic and look for patterns of malicious activity.
He also added that devices should be provisioned in a least privilege model, where they are only allowed to communicate over the protocols and applications for which they are meant.
The exploit was announced just weeks after HP announced what it called the world’s first printer bug bounty program. An HP spokesperson told SC Media their firm takes security seriously and encourages customers to keep their systems updated.
“HP was made aware of a vulnerability in certain printers by a third party researcher,” the spokesperson said. “HP has updates available to mitigate risks and has published a security bulletin with more information.”