HP to patch critical bug in LaserJet printers within 90 days

HP announced in a security bulletin this week that it would take up to 90 days to patch a critical-severity vulnerability that impacts the firmware of certain business-grade printers.

The security issue is tracked as CVE-2023-1707 and it affects about 50 HP Enterprise LaserJet and HP LaserJet Managed Printers models.

The company calculated a severity score of 9.1 out of 10 using the CVSS v3.1 standard and notes that exploiting it could potentially lead to information disclosure.

Despite the high score, there is a restrictive exploitation context as vulnerable devices need to run FutureSmart firmware version 5.6 and have IPsec enabled.

IPsec (Internet Protocol Security) is an IP network security protocol suite used in corporate networks to secure remote or internal communications and prevent unauthorized access to assets, including printers.

FutureSmart allows users to work and configure printers either from a control panel available at the printer or from a web browser for remote access.

In this case, the information disclosure flaw could allow an attacker to access sensitive information transmitted between the vulnerable HP printers and other devices on the network.

BleepingComputer has contacted HP to learn more about the exact impact of the flaw and if the vendor has seen signs of active exploitation but we received no statement at publishing time.

The following printer model are affected by CVE-2023-1707:

HP Color LaserJet Enterprise M455 HP Color LaserJet Enterprise MFP M480 HP Color LaserJet Managed E45028 HP Color LaserJet Managed MFP E47528 HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528 HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35 HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70 HP LaserJet Enterprise M406 HP LaserJet Enterprise M407 HP LaserJet Enterprise MFP M430 HP LaserJet Enterprise MFP M431 HP LaserJet Managed E40040 HP LaserJet Managed MFP E42540 HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030 HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40 HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70

HP says a firmware update that addresses the vulnerability will be released within 90 days, so there’s currently no fix available.

The recommended mitigation for customers running FutureSmart 5.6 is to downgrade their firmware version to FS 5.5.0.3.

“HP recommends immediately reverting to a prior version of the firmware (FutureSmart version 5.5.0.3). Updated firmware to address the issue is expected within 90 days.” - HP

Users are recommended to source the firmware package from HP’s official download portal, where they can select their printer model and get the relevant software.