back to article Ever seen printer malware in action? Install this HP Ink patch – or you may find out

HP Inc has posted an update to address a pair of serious security vulnerabilities in its InkJet printers. The firmware update patches CVE-2018-5924 and CVE-2018-5925, two flaws that can be exploited by printing a file that triggers a stack or static buffer overflow, giving you the ability to then execute malicious code on the …

  1. Keef

    Not a printer I know...

    "HP is committed to engineering the most secure printers in the world."

    But I once had a HP scanner, something along the lines of a HP Scanjet 4370 Photo Scanner.

    I can't remember the exact model number but a google search for that model looks similar to the one I had.

    I bought it when XP was near end of life and as an early adopter of Win 7 I found the drivers (or any of their 'feature' software no longer worked under the new operating system.

    It is a long time ago I know, but their website clearly stated there would be no updates and Win 7 was not supported for the rather expensive scanner I had recently bought.

    I worked around it by using the TWAIN interface in IrfanView, which I have donated to.

    I'm still an IrfanView user, I am no longer a HP user/purchaser.

    1. bombastic bob Silver badge
      WTF?

      Re: Not a printer I know...

      I've got an older OfficeJet 'all in one' and there are newer versions with similar names and numbers listed on the patch page, but mine is NOT listed.

      Does this mean my device is immune to this particular bug? Or does it mean that HP doesn't give a rip about me or my printer?

      I keep buying cartridges for the thing, I have to bend the paper 'just so' or it won't feed, I don't use it much so I have to hand-clean the print cartridges every couple o' months, but the scanner works fine with XSANE on Linux+BSD systems and there are CUPS drivers that actually work properly.

      And I've only ruined one printed check within the last few years due to a print cartridge that went dry just as I was I printing it. I had a spare cartridge handy, though. I knew it was going to happen eventually.

      In any case, getting a NEW printer+scanner+fax not only requires additional $, it means dealing with driver incompatibilities _AGAIN_ and CUPS is a determining factor as to whether I'll even CONSIDER a newer printer model... and XSANE for scanners, too.

      1. sorry, what?
        Boffin

        Re: Unlisted devices

        @BomBob, I found that the HP all-in-one I inherited a while ago, being one that can be used with HP's remote ePrint service and that is wifi enabled, has a setup menu with the all-important "check for updates" option. If your printer has this give it a go. (I discovered that it had been configured for auto-updates and the printer declares itself as being up-to-date. Of course, I can't see what version it is running without wasting some ink and paper to print the details, but ho-hum.)

  2. John Brown (no body) Silver badge
    Coffee/keyboard

    Shivaun Albright

    I'm guessing she's not actually Irish or even of Irish parentage then?

    1. Keef

      Re: Shivaun Albright

      Why would her nationality or parentage matter to you? Or to anyone else on an internet chat for that matter.

      I can understand a medical professional wanting to know, if there was a serious illness involved that would necessitate paging Dr. House, but otherwise I'm bemused by your statement.

      Just curious as to why you think it is relevant, please let us all know.

      1. the Jim bloke Bronze badge

        Re: Shivaun Albright

        Appears to be a phonetic attempt to recreate the name Siobhán, without knowing the traditional spelling..

        As such it is worthy of comment, even if the Shivaun spelling has completely separate origin.

        According to a very cursory google search, Shivaun is one of the more popular anglicisations so its as legitimate as any other cross-cultural appropriation.

        worthy of 5 minutes internet effort

      2. John Brown (no body) Silver badge

        Re: Shivaun Albright

        "Just curious as to why you think it is relevant, please let us all know."

        Being of (recent) Irish descent, I was surprised by the weird spelling.

        1. BebopWeBop Silver badge
          Thumb Down

          Re: Shivaun Albright

          I am surprised then that you have not come across it before.

  3. J. Cook Silver badge
    Trollface

    ... Do these firmware updates auto-brick the printer if non-HP carts are used, like previous firmware updates?

    asking for a friend.

    (and seriously, who the hell exposes a printer to the internet?)

    1. FrankAlphaXII Silver badge

      It's likely exposed for HP's ink subscription (yes, its seriously a thing). Its like 10 bucks a month for 300 Pages and they keep you stocked with ink. Considering how much their ink normally is, it might actually make sense if you print a fair amount.

      And you've never worked in an office that has networked printers? They're probably addressed in a private range, but they're still exposed to the internet.

      1. picturethis
        Joke

        internet of tubes?

        Is this where they use the "internet of tubes" to delver the actual ink over the internet (which would actually be truly useful) - or is it just another subscription service that replaces the lower cost (to the consumer) of just purchasing the stuff?

        inkjet ink has to be one of the worst/best inventions ever.

        I am so glad that I use pdfs and tablets now. No paper & no printing costs.. And did I forget to mention that storage, organization and searching of electronic documents is a lot easier than physical media?

      2. bombastic bob Silver badge
        Devil

        "They're probably addressed in a private range, but they're still exposed to the internet."

        especially if some clueless intern went and enabled 'uPNP' on the router/firewall (so his torrents would work better?). Or, if your printer has IPv6 enabled... (and your ISP supports it, and your firewall cluelessly allows incoming print requests to connect to it - because in theory, [nearly] all IPv6 addresses are publicly visible and exploitable without proper firewalling to STOP it)

    2. sanmigueelbeer Silver badge

      Do these firmware updates auto-brick the printer if non-HP carts are used, like previous firmware updates?

      Well, after they pulled that stunt last time, they were met with very strong criticisms so they had to push out an update to roll it back.

      Would they do it again? Sure, why not.

    3. macjules Silver badge

      (and seriously, who the hell exposes a printer to the internet?)

      Someone who wants to print from their office to their home? Someone who wants to make sure that an invoice they just issued to a client gets printed out in the office? Weird I know, but there you go.

    4. Anonymous Coward
      Anonymous Coward

      My home printer is apparently affected. Now I have to decide which is worse, leaving a potential vulnerability in a printer with an RFC1918 address on an isolated home LAN, or installing a software update from HP.

      Based on my experience with the universally crap HP printer software there's really no contest. I'll live with the bug.

    5. Trilkhai

      (and seriously, who the hell exposes a printer to the internet?)

      Someone who has a printer/scanner that they want to be able to scan/OCR/upload documents to a shared service without physical intervention, have it grab documents/images from the server to print out, etc. and get firmware updates so it keeps pace with changes to its compatible services.

      (Though to be fair, I leave my Brother printer/scanner unplugged most of the time so it doesn't waste ink by compulsively cleaning the fucking cartridges every few days.)

    6. Flywheel Silver badge

      (and seriously, who the hell exposes a printer to the internet?)

      A near-neighbour/someone within range of my WiFi router - the printer is an HP funnily enough. I haven't sent them the pictures of a black cat in a coal cellar.. yet.

  4. Anonymous Coward
    Anonymous Coward

    Had to give up on HP inkjet years ago

    The replacement ink cartridges would bankrupt you in months so it was replaced with a Brother's brand multi-function printer. With HP printer quality dropping like a rock we opted to no longer buy their laser printers either. The only HP products we buy are their AMD powered laptops which have been good.

    1. Anonymous Coward
      Anonymous Coward

      Re: Had to give up on HP inkjet years ago

      AC, "The only HP products we buy are their AMD powered laptops which have been good."

      "...good." Strange report. More commonly: 'Friends don't let friends buy HP laptops.' Not even refurbished.

    2. Jeffrey Nonken Silver badge

      Re: Had to give up on HP inkjet years ago

      My (used, bought from a friend who needed some cash) HP laptop won't boot if I try to upgrade the WiFi module. Bios gives an error that the configuration of incorrect. Same module works fine in my Lenovo of the same era; they don't need to force me to spend money on little stuff.

      All sorts of annoying things on the HP that are done right on the Lenovo.

      Last month I bought two Acers.

  5. Kev99 Bronze badge

    I guess it pays to keep using "obsolete" equipment. My Office Jet Pro 8100 is not affected.

    1. Mark 85 Silver badge

      Indeed... security by obscurity, I to have an old HP printer, single function.. it prints, can take 11X17 paper and is only connected to one PC which is connected maybe once a week for a few hours. Being obscure is sometimes a lot better.

  6. John F***ing Stepp

    Have I ever seen printer malware?

    Why yes, I once installed a driver set from HP (some brand) that required a complete reload of the OS; I then opened the office door, the door to the dumpster, and gave the printer the freedom it deserved.

    (Yes, I released a feral printer into the wild)

    1. jonathan keith

      Re: Have I ever seen printer malware?

      You bastard. At least we now know who to blame when all the local wildlife gets eaten.

  7. Anonymous Coward
    Anonymous Coward

    HP Network Laser Printers....

    ....at one time included an FTP server....you could print stuff by sending files to the printer IP address....i.e. anything at all! I wonder if this was secure. I wonder if this "feature" is still available.

    *

    On a different note, I'm not clear about the vulnerability described in this article. Surely one would need malware in someone's printer driver to cause buffer or stack overflows. If so, are HP printer drivers also suspects here?

    1. Sandtitz Silver badge
      Holmes

      Re: HP Network Laser Printers....

      "....at one time included an FTP server....you could print stuff by sending files to the printer IP address....i.e. anything at all! I wonder if this was secure. I wonder if this "feature" is still available."

      FTP is still available, or at least until very recently.

      FTP is not in any way less secure than printing to port 515 or 9100 which most default to.

      FTP has the benefit of making printout scripting easy and it works without needing OS support on the client. FW updates via FTP can be done from any OS, so you don't have to rely on some update software that runs only on Windows.

      If you want secure (encrypted) printing then IPP over HTTPS is the solution. The printers should also be in a separate network and only the print server should be able to talk to the printers, the clients should have no direct access to the printers.

      On a different note, I'm not clear about the vulnerability described in this article. Surely one would need malware in someone's printer driver to cause buffer or stack overflows. If so, are HP printer drivers also suspects here?

      No. First of all, you can these days print without any drivers via USB, email, FTP, Cloud Print (Android) or Airprint (IOS). I may have missed many other methods here...

      The print processor (inside the printer) handling all the PCL/PS/HPGL/etc. code probably just produces overflows when a specially crafted print job is fed to it. The drivers probably could never produce such print jobs.

      1. s2bu

        Re: HP Network Laser Printers....

        Indeed, I have a Xerox color laser and a Ricoh color laser that both offer FTP. Since they both support PortScript & PDF, it's rightly handy to print something in a hurry on a new install without printer drivers. I've also used it a few times when I didn't have VPN setup yet. Save to PDF in the app, sftp it to a server on the DMZ, ssh into said server and FTP it to the printer. Printout is ready when I get back!

  8. vaporland

    so to install printer malware

    disguise it as an anti-malware patch?

  9. FlamingDeath Bronze badge
    Coffee/keyboard

    Here is an idea HP, and others *sigh*

    How about you do a bug bounty program before you release your shit-code-ladened hardware to the public, please?

  10. Anonymous Coward
    Anonymous Coward

    Printer viruses

    As it happens I had this discussion a while back at a (redacted) event and the upshot was "yes you could embed malicious code into a rogue cartridge but it wouldn't be worth the effort" unless you did a MITM attack and harvested a genuine box with serial numbered full cartridge in it.

    Use that cartridge *anywhere* and the Feds would know about it and send hungry, hungry DMCA lawyers to your location.

    Probably going to get Deep Sixed for this, but I once bought a black cartridge from a shop and it looked "strange". Worked perfectly though but was annoyed to find that the other three colours mysteriously showed as empty even though I ran the self clean just on the black a half dozen times to get every last schnozzle working as it needed to be 100% so I could print application letters.

    Still have the printer (was a chuckout as it needed some routine maintenance due to a spittoon clog jamming up the works) incidentally if anyone ever got a letter from me with off-black ink it might have been mine as I used an old dinosaur Canon bubblejet with CMY refilled black cartridge held together using Sellotape (tm)

  11. JeffyPoooh Silver badge
    Pint

    In the Year of our Lord, 2018...

    ...And 'buffer overflows' are still a thing.

    Stupid, stupid, stupid.

    And due to the way software is written 'these days' (in 'recent' decades, LOL), everyone is 'Standing On The Shoulders Of Morons'; in that even a skilled coder with the very best of intentions may still be caught out by the OS or other framework they've been compelled to use.

    Is there anything that can be done? Or will we still be overflowing our buffers in 2050 and beyond?

    Perhaps CPUs themselves should include dedicated hardware to provide and/or manage the apparently too-complex for humans functionality of buffering. Embed watertight anti-overflow logic.

    It's embarrassing (species-wise) that this is still going on in 2018.

  12. a pressbutton

    Is there anything that can be done?

    ...

    stop using pointers etc

    stop using languages that allow access to things that act like pointers

    (stop using VB :)

    go back to slate and chalk. Would very much like to see a buffer overflow there.

  13. markrand
    Trollface

    How do I transfer the new firmware to my ThinkJet?

    Seriously, we used ThinkJets and early DeskJets and they were revolutionary. One could even print graphs and pictures after only a few months of program writing.

    1. Flakk Silver badge
      Joke

      After Only a Few Months?!

      One could even print graphs and pictures after only a few months of program writing.

      You were lucky! At my last job, some poor shmoe got stuck with writing the reports for our in-house BI system. They made him use Crystal Reports! Sometimes I still imagine that guy catatonically rocking back and forth in his cube. *shudder*

  14. Locky Silver badge

    The only good feature on a HP printer

    Changing the "Ready" message to "Out of cheese"

  15. djberriman

    All done

    Printer already updated itself automatically (who knew)

    The web page is out of date despite being updated 3 days ago a new version (1830B) was released 3 days ago so the latest version is not as per the web page 1824A!

    Like other commentators I won't be buying another HP printer, my last one lasted years before needing replacing, replaced like for like with the latest model, first one was DOA, replacement lasted a few months before wrecking its print head ribbon cable, the replacement for that lasted a few months before the print head died.

  16. tiggity Silver badge

    Home network

    Has a HP for bog standard A4 stuff, but its not connected to wife, no cable Ethernet connection, it is just connected to one computer as zero point having it on the home network as no point in unnecessary potential attack vectors

    Obv in a work environment then a business case for networked printers can be made, but not on most home networks (No there's not a pressing need to print a cat meme image from your mobile via wifi to wifi enabled home printer)

    1. Paul Hovnanian Silver badge

      Re: Home network

      "but its not connected to wife"

      Damned autocorrect!

    2. Martin an gof Silver badge

      Re: Home network

      not connected to wife

      My wife would very clearly tell me where to go, if I tried connecting a printer - HP or otherwise - to her.

      in a work environment then a business case for networked printers can be made, but not on most home networks

      I don't think that's true these days, unless you want to buy one cheap inkjet per device which might want to print.

      The obvious counter argument is that there are probably more laptops and tablets in use now than desktops, so if you don't want to use your laptop as if it were a desktop (i.e. no more than a USB cable distance from the printer), the printer has to be networked. Unless there's something clever to be done with Bluetooth.

      The obvious second argument is in a multi-device, multi-user environment. At my home there are times during the week when there might be two or three children all working on homework at the same time and maybe my wife working at home too. Yes, more homework is now "delivered" via Google Classroom than used to be the case, but an awful lot of it still needs printing. Having one decent central printer, networked, is the perfect solution. Our current printer is a Xerox solid-ink device. Apart from occasional nozzle cleaning (internally it's like a cross between an inkjet and a laser), it "just works", and has done so for, erm... I think some 12 or 13 years now.

      M.

  17. Anonymous Coward
    Anonymous Coward

    I'd believe the thing about building 'the most secure printers in the world' a bit more if they didn't have their devices forcibly spin up new wifi networks for you, when you're quite happy just using the cable to connect (y'know, since the printer is right next to the PC....)

  18. Chipfryer

    Superflies

    HP should be considering insect-based security vectors.

    After initially thinking that either my network was hacked or my HP printer was haunted, when a series of beeps was followed by a test page print, I found the touchscreen was being activated by a fly walking across it.

    I've no idea how it managed to swipe right to get to the Settings menu but I for one welcome our new insect overlords

  19. SilentShark

    Freaked me out..

    ..when my printer suddenly sprung to life, printing a little note to say it had updated itself.

    My Deskjet printer often sulks, and likes to keep itself offline most of the time, so it was extra surprising to see it suddenly announce its proactive patching.

    But now it's announced itself to me as being alive itself (with a handy reference to its webserver, I felt compelled to at least have a little poke around. And.. 6 tcp ports open and listening and waiting for abuse :-)

  20. Conundrum1885

    PC Load Fist

    Otherwise known as the "12 pound CLUE HAMMER repair technique"

    I have a nice collection of dinosaurs here, scared ze missus when I went "Full Arnie" on the unfortunate victim printer and amazingly enough this unstuck it enough that it printed fine.

    Its still working!!

    Did you know that cats love printers? You can always tell because the guts are *totally* clogged up with icky cat hair, kind of like a trichobezoar but less messy.

    Same with laptops but they normally do not survive this treatment.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019