HP Issues Security Alert for Various Envy, Designjet, OfficeJet and More Printers

Just after introducing a first-of-its-kind “bug bounty” program for its printers and copier/MFPs (see here), HP Inc. issued a security bulletin announcing that two security vulnerabilities have been identified for hundreds of HP inkjet-based printers. According to  the HP security bulletin, ““A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow, which could allow remote code execution.”

The two critical RCE flaws (CVE-2018-5924, CVE-2018-5925) can affect various HP Envy, Deskjet, Officejet, DesignJet, PageWide Managed, PageWide Pro, Photosmart, AMP, Ink Tank, and Smart Tank Wireless printers.

Visit HP Inc. here for further instructions on downloading security patches.

HP didn’t state which researchers had uncovered the bugs. Under the Bug Bounty program launched month:

• Vulnerabilities found by researchers in the private program are required to be reported to Bugcrowd.
• Reporting a vulnerability previously discovered by HP will be assessed, and a reward may be offered to researchers as a good faith payment.
• Bugcrowd will verify bugs and reward researchers based on the severity of the flaw with awards up to $10,000.

More Resources

July 2018: HP Launches First ‘Bug-Bounty’ Vulnerability Reporting for Printers and Copiers