HP plugs password-leaking printer flaw

Bad news: Most office bods won't patch it. Good news: Most office bods won't find password


Security flaws in a range of HP printers create a way for hackers to lift administrator's passwords and other potentially sensitive information from vulnerable devices, infosec experts have warned.

HP has released patches for the affected LaserJet Pro printers to defend against the vulnerability (CVE-2013-4807), which was discovered by Michał Sajdak of Securitum.pl. Sajdak discovered it was possible to extract plaintext versions of users' passwords via hidden URLs hardcoded into the printers’ firmware. A hex representation of the admin password is stored in a plaintext URL, though it looks encrypted to a casual observer.

Sajdak also discovered Wi-Fi-enabled printers leaked Wi-Fi settings and Wi-Fi Protected Setup PIN codes, as an advisory from the Polish security researcher explains.

HP has released firmware updates for the following affected printers:

  • HP LaserJet Pro P1102w,
  • HP LaserJet Pro P1606dn,
  • HP LaserJet Pro M1212nf MFP,
  • HP LaserJet Pro M1213nf MFP,
  • HP LaserJet Pro M1214nfh MFP,
  • HP LaserJet Pro M1216nfh MFP,
  • HP LaserJet Pro M1217nfw MFP,
  • HP LaserJet Pro M1218nfs MFP and
  • HP LaserJet Pro CP1025nw.

HP's advisory is here.

Consumers aren't very good at patching their computers, much less their printers, which rarely need security updates.

"The bad news is that many printer owners probably aren’t aware that the security issue exists, or simply won’t bother to apply the firmware update," security watcher Graham Cluley notes. ®

Similar topics

Narrower topics


Other stories you might like

  • It's 2022 and there are still malware-laden PDFs in emails exploiting bugs from 2017
    Crafty file names, encrypted malicious code, Office flaws – ah, it's like the Before Times

    HP's cybersecurity folks have uncovered an email campaign that ticks all the boxes: messages with a PDF attached that embeds a Word document that upon opening infects the victim's Windows PC with malware by exploiting a four-year-old code-execution vulnerability in Microsoft Office.

    Booby-trapping a PDF with a malicious Word document goes against the norm of the past 10 years, according to the HP Wolf Security researchers. For a decade, miscreants have preferred Office file formats, such as Word and Excel, to deliver malicious code rather than PDFs, as users are more used to getting and opening .docx and .xlsx files. About 45 percent of malware stopped by HP's threat intelligence team in the first quarter of the year leveraged Office formats.

    "The reasons are clear: users are familiar with these file types, the applications used to open them are ubiquitous, and they are suited to social engineering lures," Patrick Schläpfer, malware analyst at HP, explained in a write-up, adding that in this latest campaign, "the malware arrived in a PDF document – a format attackers less commonly use to infect PCs."

    Continue reading
  • Warren Buffett's Berkshire Hathaway buys 11.4% stake in HP
    Even notoriously tech averse stock market gambler can't resist piece of pandemic-boosted PC extravaganza

    Warren Buffett's Berkshire Hathaway has taken up a double-digit stake in PC and print biz HP Inc's stock worth about $4.2 billion, a move that sent the company's share price up by 10 percent.

    The purchase, confirmed in a SEC filing by the investment vehicle on 6 April, saw roughly 121 million HP shares shift over to the new owner in what can be seen as a vote of confidence in the residual value of HP. This equates to a circa 11.4 percent ownership of the company.

    "Berkshire Hathaway is one of the world's most respected investors and we welcome them as an investor in HP," the world's largest printer and second largest PC brand said.

    Continue reading
  • HP bets big on future of hybrid work with $3.3bn Poly buy
    Plantronics and Polycom have a new parent company

    HP Inc sees the future of its business as one supporting a workforce partially based at home and partially in the office, and appears to have bought office telecom giant Poly for that reason.

    Formerly known as Plantronics, Poly changed its name shortly after it acquired Polycom in 2018. HP didn't mention in its acquisition announcement whether or not it would keep the Poly brand separate, but it's still early: the deal is not expected to close until the end of the 2022 calendar year. 

    HP described the $3.3 billion purchase ($40 per share) as a bid to refocus its portfolio on growth and take advantage of what it said is a massive growth opportunity due to the likely permanence of hybrid work. 

    Continue reading

Biting the hand that feeds IT © 1998–2022