Administrators who use HP LaserJet Enterprise or Jet Managed printers in their companies should protect the devices with a workaround. Otherwise, attackers can gain access to information that is effectively isolated. A security patch is not yet available.
A critical vulnerability
Update
04/06/2023
12:58 p.m
Clock
Affected models are listed in the text.
As the warning message indicatesvulnerability (CVE-2023-1707) with threat level “criticalHowever, the devices are only vulnerable when the FutureSmart 5.6 Remote Configuration Tool is used in conjunction with the IPsec network security protocol. In this case, an attacker could eavesdrop on network device communications in a way not described in detail.
Affected models include the HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030, and HP LaserJet Managed E40040. The alert contains a complete list of the devices at risk, including product numbers.
Fixing security in plain sight
HP says they can only release secure versions of the firmware in the next 90 days. The manufacturer has not yet explained why this is so. Until then, devices with the above configurations are vulnerable.
To continue protecting devices until security updates are released, administrators should install the older version of FutureSmart 5.5.0.3. According to HP, this should happen soon. The manufacturer’s contribution to the remediation of the vulnerability contains additional information about unaffected firmware versions. It is currently unknown if there are already attacks on the vulnerability.
Update
04/06/2023
12:58 p.m
Clock
Affected models are listed in the text.
(with)