In a nutshell: Dozens of HP printers are vulnerable to a security issue that could potentially allow attackers to access sensitive information. The company is aware of the problem and is working on an update that will be rolled out later this year. In the meantime, HP is suggesting that users downgrade the firmware version of the affected models as a temporary workaround to mitigate the issue.
HP has announced a definitive time frame to roll out security updates to fix a critical vulnerability that affects many of its printers. The issue, which the company says renders the compromised machines vulnerable to "information disclosure," is tracked as CVE-2023-1707 and has a severity score of 9.1 out of 10 (CVSS v3.1).
According to HP, a patch is in the works, and it will be rolled out within 90 days to all its Enterprise LaserJet and LaserJet Managed Printers impacted by the vulnerability. Fortunately, the problem only affects a small number of printers that run FutureSmart firmware version 5.6 and have IPsec enabled.
Until the security patch is rolled out, HP is suggesting a temporary workaround for the affected devices. This involves downgrading to a prior version of the firmware (FutureSmart version 5.5.0.3) until the patch is deployed. The full list of the affected printers can be found on HP's support page.
In a statement to Bleeping Computer, HP said that that the exposure period for the vulnerability was between mid-February and the end of March 2023, and only affected select models running FutureSmart version 5. The company also explained that affected devices could theoretically expose scan job data sent from the printer. There's no known case of the vulnerability being exploited in the wild.
FutureSmart is HP's proprietary firmware that runs on the company's most powerful business-grade printers and helps system admins manage and maintain various features across a company's enterprise printer fleet. As for IPsec (Internet Protocol Security), it is an IP network security protocol suite, meant to prevent malicious actors from remotely accessing corporate networks.
This is not the first time that HP printers have been affected by security vulnerabilities. Last year, the company published security advisories for three vulnerabilities that could lead to remote code execution on compromised machines. The affected devices included many of its LaserJet Pro, Pagewide Pro, OfficeJet, Enterprise, Large Format, and DeskJet printer models. HP eventually released security updates for most of the affected products and suggested mitigation instructions for the models that could not be patched.
