HP announced in a security bulletin this week that it would take up to 90 days to fix a critical severity vulnerability that affects the firmware of some business printers.
The security issue is identified as CVE-2023-1707 and affects approximately 50 HP Enterprise LaserJet and HP LaserJet Managed printer models.
The company calculated a severity score of 9.1 out of 10 using the CVSS v3.1 standard and notes that exploiting it could potentially lead to information disclosure.
Despite the high score, there is a restrictive operating environment as vulnerable devices must be running FutureSmart firmware version 5.6 and have IPsec enabled.
Internet Protocol Security (IPsec) is a suite of IP network security protocols used in corporate networks to secure remote or internal communications and prevent unauthorized access to assets, including printers.
FutureSmart allows users to operate and configure printers either from a control panel available on the printer or from a web browser for remote access.
In this case, the information disclosure flaw could allow an attacker to access sensitive information transmitted between the vulnerable HP printers and other devices on the network.
BleepingComputer has reached out to HP to learn more about the exact impact of the flaw and whether the vendor has seen any signs of active exploitation, but we haven’t received a statement as of press time.
The following printer model is affected by CVE-2023-1707:
- HP Color LaserJet Enterprise M455
- HP Color LaserJet Enterprise MFP M480
- HP Color LaserJet Managed E45028
- HP Color LaserJet Managed MFP E47528
- HP Color LaserJet Managed MFP E785dn, HP Color LaserJet Managed MFP E78523, E78528
- HP Color LaserJet Managed MFP E786, HP Color LaserJet Managed Flow MFP E786, HP Color LaserJet Managed MFP E78625/30/35, HP Color LaserJet Managed Flow MFP E78625/30/35
- HP Color LaserJet Managed MFP E877, E87740/50/60/70, HP Color LaserJet Managed Flow E87740/50/60/70
- HP LaserJet Enterprise M406
- HP LaserJet Enterprise M407
- HP LaserJet Enterprise M430 Multifunction Printer
- HP LaserJet Enterprise M431 Multifunction Printer
- HP Managed LaserJet E40040
- HP LaserJet E42540 Managed Multifunction Printer
- HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030
- HP LaserJet Managed MFP E731, HP LaserJet Managed Flow MFP M731, HP LaserJet Managed MFP E73130/35/40, HP LaserJet Managed Flow MFP E73130/35/40
- HP LaserJet Managed MFP E826dn, HP LaserJet Managed Flow MFP E826z, HP LaserJet Managed E82650/60/70, HP LaserJet Managed E82650/60/70
HP says a firmware update that fixes the vulnerability will be released within 90 days, so there is currently no fix available.
The recommended mitigation for customers running FutureSmart 5.6 is to downgrade their firmware version to FS 220.127.116.11.
Users are recommended to obtain the software package from Official HP Download Portalwhere they can select their printer model and get the corresponding software.