HP introduced in a safety bulletin this week that it could take as much as 90 days to patch a critical-severity vulnerability that impacts the firmware of sure business-grade printers.
The safety difficulty is tracked as CVE-2023-1707 and it impacts about 50 HP Enterprise LaserJet and HP LaserJet Managed Printers fashions.
The firm calculated a severity rating of 9.1 out of 10 utilizing the CVSS v3.1 customary and notes that exploiting it might doubtlessly result in info disclosure.
Despite the excessive rating, there’s a restrictive exploitation context as susceptible units must run FutureSmart firmware model 5.6 and have IPsec enabled.
IPsec (Internet Protocol Security) is an IP community safety protocol suite utilized in company networks to safe distant or inside communications and stop unauthorized entry to belongings, together with printers.
FutureSmart permits customers to work and configure printers both from a management panel out there on the printer or from an internet browser for distant entry.
In this case, the knowledge disclosure flaw might permit an attacker to entry delicate info transmitted between the susceptible HP printers and different units on the community.
BleepingComputer has contacted HP to be taught extra in regards to the actual influence of the flaw and if the seller has seen indicators of energetic exploitation however we obtained no assertion at publishing time.
The following printer mannequin are affected by CVE-2023-1707:
- HP Color LaserJet Enterprise M455
- HP Color LaserJet Enterprise MFP M480
- HP Color LaserJet Managed E45028
- HP Color LaserJet Managed MFP E47528
- HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
- HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
- HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
- HP LaserJet Enterprise M406
- HP LaserJet Enterprise M407
- HP LaserJet Enterprise MFP M430
- HP LaserJet Enterprise MFP M431
- HP LaserJet Managed E40040
- HP LaserJet Managed MFP E42540
- HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
- HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
- HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70
HP says a firmware replace that addresses the vulnerability will likely be launched inside 90 days, so there’s at present no repair out there.
The beneficial mitigation for patrons working FutureSmart 5.6 is to downgrade their firmware model to FS 5.5.0.3.
Users are beneficial to supply the firmware bundle from HP’s official obtain portal, the place they’ll choose their printer mannequin and get the related software program.