The Protect IU Blog
New vulnerabilities in HP printers require firmware updates to be applied.
It is time to update the firmware on all HP printers.
Researchers at Columbia University have recently disclosed some new security vulnerabilities in HP printers.
Demonstrating several attacks on the vulnerabilities at the 28th Chaos Communication Congress, Ang Cui was able to successfully install a modified firmware on an HP printer and use the compromised printer to launch attacks on other computers, as well as other attacks.
In response to the disclosure, HP has released new printer firmwares and issued a Security Bulletin. There you can find instructions on how to locate and install the appropriate firmware for specific models of HP printers.
There have not been any reports of these attacks being observed in the wild, however the vulnerabilities should be taken very seriously as they represent a very high risk of exposure to attack.
The UISO recommends locking down printers by setting an admin password, turning off unused and unneeded services (like telnet), placing printers on private IP addresses, and disabling Remote Firmware Updates (RFU). Cui demonstrated that the attacks cannot be prevented by any authentication mechanisms. Therefore it is not enough to just lock down HP printers, the firmware must be updated to protect against these new attacks.
HP's News releases in response to the disclosure can be found here and here. HP has a printer hardening guide can that can be found here. And more information on HP printer security can be found here.
The UISO will be working with LSP's and other sysadmins to track down HP printers that need to be moved to private IP address as well as have their firmware updated. If you have questions, or need more information, please visit our website at http://protect.iu.edu/ or email us uiso at iu dot edu.