HP Printers Security Vulnerability – 21st March 2022

HP has released a security bulletin with details of vulnerabilities found on HP printers. The security bulletin was last updated on 22.03.22. You need to take notice because CVE-2022-24292 and CVE-2022-24293 are critical vulnerabilities with a CVSS score of 9.8. HP released software updates for the printers affected by the security vulnerability. This vulnerability requires an immediate fix on account zero-day threat factor. We review the different printer models that are affected. And, we discuss the firmware or printer driver updates for the corresponding models of HP Printers.

What critical vulnerabilities have been listed by HP for printers in March 2022?

The following vulnerabilities have been found on select few HP printer devices:

  • CVE-2022-24291 – this is a Remote Code Execution vulnerability with a CVSS score of 7.5. It has a high impact on the associated infrastructure.
  • CVE-2022-24292 – this is Critical Remote Code Execution vulnerability with a CVSS score of 9.8. It needs to be patched immediately.
  • CVE-2022-24293 – this is a Critical Remote Code Execution vulnerability with a CVSS score of 9.8. This requires immediate patching.

All these vulnerabilities need to be resolved as part of the threat mitigation exercise. Firmware updates have been published by HP. You need to apply the corresponding firmware updates on the HP printer models shared below.

Which HP Printers are affected with critical RCE vulnerabilities – March 2022?

The current set of vulnerabilities that we are discussing include CVE-2022-24291, CVE-2022-24292, and CVE-2022-24293. These vulnerabilities affect the Laserjet PRO series, Officejet PRO series, and Pagewide PRO series. For your ready reference, we have listed the HP printer models that are impacted. We have also listed the firmware version that fixes the vulnerabilities on the affected models.

HP Laserjet Pro Printer Series Models

Models affected in HP Laserjet Pro Series by CVE-2022-24291, CVE-2022-24292, and CVE-2022-24292:

  • M453 – M454 – Resolution involves HP printer firmware update to 002_2208A.
  • MFP M478, M479 – Resolution involves HP printer firmware update to 002_2208A.
  • M304, M305 – Resolution involves HP printer firmware update to 002_2208A.
  • M404, M405 – Resolution involves HP printer firmware update to 002_2208A.
  • MFP M428, M429 – Resolution involves HP printer firmware update to 002_2208A.
  • MFP M428, M429 F – Resolution involves HP printer firmware update to 002_2208A.

Laserjet Pro model MFP M2XX is also affected and no patch is available to mitigate the threat on the M2XX series as of now.

HP Pagewide PRO Printers affected with CVE-2022-24291, CVE-2022-24292 and CVE-2022-24293

The following models of HP Pagewide PRO Printers are affected with the Remote Code Execution vulnerabilities of CVE-2022-24291, CVE-2022-24292 and CVE-2022-24293:

  • 352dw Printer
  • 377dw Multifunction Printer
  • Managed P55250dw Printer series
  • Managed P57750dw Multifunction Printer
  • Pro 452dn Printer series
  • Pro 452dw Printer series
  • 477dn Multifunction Printer series
  • 477dw Multifunction Printer series
  • 552dw Printer series
  • 577 Multifunction Printer series

On the models stated above, you need to deploy HP firmware 2205D or higher to resolve the vulnerabilities.

HP Officejet PRO Printers affected by CVE-2022-24291, CVE-2022-24292 and CVE-2022-24293

The HP Officejet PRO printers that affected by the Remote Code Execution vulnerabilities are mentioned below:

  • OfficeJet Pro 8210 Printer series – Resolution involves firmware update to 001.2210B or higher.
  • OfficeJet Pro 8216 Printer series – Resolution involves firmware update to 001.2210B or higher.
  • OfficeJet Pro 8730 All-in-One Printer – Resolution involves firmware update to 001.2207C or higher.
  • OfficeJet Pro 8740 All-in-One Printer series – Resolution involves firmware update to 001.2207C or higher.

The RCE vulnerabilities seem to impact specific models of HP printers. Apart from the product models listed above, RCE vulnerabilities do not affect other printer models or series.

Fix for RCE vulnerabilities CVE-2022-24291, CVE-2022-24292 and CVE-2022-24293

The only fix for CVE-2022-24291, CVE-2022-24292, and CVE-2022-24293 is the firmware update on HP printers. The resolution is mentioned below for your ready reference:

  • Laserjet PRO series models need to be patched with firmware version 002_2208A or higher.
  • Pagewide PRO series models need to be patched with firmware version 2205D or higher.
  • Officejet PRO series 8210 and 8216 need to be patched with firmware 001.2210B or higher.
  • Officejet PRO All in One 8730 and 8740 need to be patched with firmware 001.2207C or higher.

Please deploy the firmware updates on the affected HP Printer model series on a priority basis. No alternate fixes or threat mitigation steps have been shared by HP for these RCE flaws on HP printers. No additional steps are needed to mitigate the threats.

Other details of the vulnerabilities have not been publicly disclosed by HP as yet. This is an accepted practice as the vendor would like the affected product models to be patched against the security vulnerabilities.

Summary

HP’s March security bulletin lists the vulnerabilities and product models affected with critical and high severity flaws. Since the impact is of a critical nature, we suggest patching the impacted HP printer series with firmware updates on a priority basis. You can also refer to HP’s security bulletin on this page.

You may also like to read more about the following security updates: