HPSBPI03596 rev. 2 - HP LaserJet Enterprise, HP PageWide Enterprise, HP LaserJet Managed, and HP OfficeJet Enterprise Printers, Execution of Arbitrary Code

Potential Security Impact

Execution of arbitrary code.

Source: HP, HP Product Security Response Team (PSRT)

VULNERABILITY SUMMARY

Solution application signature checking may allow potential execution of arbitrary code.

RESOLUTION

HP has provided firmware updates for impacted printers as indicated in the table below. To obtain the updated firmware, go to www.hp.com and follow these steps:

1. Select Support from the top of the page, and then select Software & drivers.

2. Click Printer, and then type the appropriate product name or model number from the table below into the search field.

3. Click Submit.

4. Scroll down and click Firmware from the category list.

5. Click Download for the appropriate firmware.

> note:
>
> Some FutureSmart printers have two available firmware platforms: FutureSmart 3 (FS3) and FutureSmart 4 (FS4). Select the appropriate firmware version for the required FutureSmart platform.

Temporary Mitigation Settings:

The vulnerability can be prevented in the short term by either of the following actions:

• Set an Embedded Web Server (EWS) administrator password

Browse to the printer EWS, select the Security tab, and then set the password in the Local Administrator Password section.

• Disable the “Allow firmware upgrades sent as print jobs (Port 9100)” setting

Browse to the printer EWS, select the Security tab, and then disable the setting in the Firmware Upgrade Security section.

These recommendations are documented in HP Printing Security Best Practices for HP LaserJet Enterprise Printers.

See page 35 for EWS administrator password configuration.

See page 37 for Allow firmware upgrades sent as print jobs configuration.