Get in Touch

Get in Touch

Get in Touch

Please get in touch using the form below.

Close form

Home / Threat Intelligence bulletins / HP discloses critical security vulnerability in LaserJet printers

Target Industry

Indiscriminate, opportunistic targeting.

Overview

Severity Level – Critical: Compromise may result in the loss of confidentiality and integrity of data.

A security vulnerability, tracked as CVE-2023-1707 (CVSSv3 Score: 9.1 Severity Level – Critical), has been disclosed by HP, and will take up to 90 days to be patched. The flaw affects approximately 50 HP Enterprise LaserJet and HP LaserJet Managed Printers models.

Despite the high score, opportunities for potential exploit are restricted as vulnerable devices need to run FutureSmart firmware version 5.6 and have IPsec enabled.

As of the time of writing, HP has not been aware of any active exploits of the vulnerability.

Impact

CVE-2023-1707: An information disclosure vulnerability exists in the TGAInput::read_tga2_header functionality of OpenImageIO Project OpenImageIO v2.4.7.1. A specially crafted targa file (.tga) can be provided by a threat actor which would lead to a disclosure of sensitive information. The information disclosure flaw could allow an attacker to access sensitive information transmitted between the vulnerable HP printers and other devices on the network.

Vulnerability Detection

HP is due to release the associated security patch for the vulnerability of the respective product versions within a 90-day period. As such, previous versions are vulnerable to potential exploit.

Affected Products

– HP Color LaserJet Enterprise M455
– HP Color LaserJet Enterprise MFP M480
– HP Color LaserJet Managed E45028
– HP Color LaserJet Managed MFP E47528
– HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
– HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
– HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
– HP LaserJet Enterprise M406
– HP LaserJet Enterprise M407
– HP LaserJet Enterprise MFP M430
– HP LaserJet Enterprise MFP M431
– HP LaserJet Managed E40040
– HP LaserJet Managed MFP E42540
– HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
– HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
– HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70

Containment, Mitigations & Remediations

It is recommended that HP LaserJet users with products running FutureSmart version 5.6 downgrade their firmware version to FutureSmart version 5.5.0.3. Users are recommended to attain the firmware package from HP’s official download portal, where they can select their printer model and retrieve the relevant software.

Indicators of Compromise

No specific Indicators of Compromise (IoC) are available at this time.

Threat Landscape

HP LaserJet printers occupy a significant portion of the laser printer market share. Given that threat actors generally utilise a combination of probability and asset value to determine which attack surfaces to focus on, laser printers can emerge as a prime target. Due to the fact that laser jet printers have become an integral aspect of both personal and business operations, it is likely that threat actors will seek out opportunities to exploit vulnerabilities contained within these devices in an attempt to extract the sensitive data contained therein.

Threat Group

No specific threat actors have been identified to have exploited this vulnerability at the time of writing.

Mitre Methodologies

Common Weakness Enumeration Classification:

CWE-200 – Exposure of Sensitive Information to an Unauthorized Actor

Further Information

HP Advisory

Intelligence Terminology Yardstick