$100,000 Offered for Discovery of Vulnerability

Originally published by Zainab Imran at appuals.com

HP Releases Critical Firmware Updates for 2 Remote Code Execution Vulnerabilities affecting 166 printer models

A few days ago, HP issued a huge batch of firmware updates for its printers, including its PageWide, DesignJet, OfficeJet, DeskJet and ENVY ranges.

Prior to that, HP offered a US$100,000 cash prize to researchers who could find vulnerabilities in its printer products. Two particular reports caused the release of the firmware updates for two remote code execution vulnerabilities — CVE-2018-5924 and CVE-2018-5925. According to HP, both vulnerabilities have received critical CVSS 3.0 base scores of 9.8 each.

HP warns that hundreds of its Inkjet printers are vulnerable to these two remote code execution vulnerabilities. Users should update their firmware immediately to mitigate the consequences of these severe grade vulnerabilities.

It is unclear whether these vulnerabilities were reported through the program or whether HP was aware of them before hand. The timing, however, only makes it appear as though this is the outcome of the bounty hunt. Irrespective, HP has stood its ground as the self-proclaimed “world’s most secure printing” provider by releasing patches well before any exploit of the known vulnerabilities.

A list of 166 personal use and enterprise network connected printer types and models affected is published at the bottom of HP’s security bulletin release.

More information at: https://appuals.com/