Over a hundred HP Inkjet printers have serious flaws that should be fixed Vulnerability-related.PatchVulnerability , HP has warned Vulnerability-related.DiscoverVulnerability . Computer and printer giant HP has flagged Vulnerability-related.DiscoverVulnerability two critical flaws over a hundred different printer models that it says should be patched Vulnerability-related.PatchVulnerability “ as soon as possible ” . Owners of numerous HP Inject models will need to install new firmware for each of the affected models from its Officejet , Deskjet , Envy , as well as its larger form business printers , including DesignJet and PageWide Pro printers . Multiple models from each product line are affected so customers and consumers should scroll through HP ’ s advisory to check whether their specific model is affected . Customers should also check out HP ’ s support pages for how to install the firmware updates , which can be done directly from the printer for web-enabled printers — mostly those released after 2010 — or via Windows or Mac computers they ’ re networked with . The bugs , which have been assigned Vulnerability-related.DiscoverVulnerability the numbers CVE-2018-5924 and CVE-2018-5925 , are rated “ critical ” and could allow remote code execution . “ Two security vulnerabilities have been identified Vulnerability-related.DiscoverVulnerability with certain HP Inkjet printers . A maliciously crafted file sent to an affected device can cause a stack or static buffer overflow , which could allow remote code execution , ” HP notes in an advisory . The company hasn’t indicated Vulnerability-related.DiscoverVulnerability whether the flaws are publicly known Vulnerability-related.DiscoverVulnerability or under attack but says it was “ recently made aware Vulnerability-related.DiscoverVulnerability of a vulnerability in certain inkjet printers by a third-party researcher. ” The patches come Vulnerability-related.PatchVulnerability just a few days after HP Inc announced Vulnerability-related.DiscoverVulnerability it would soon launch its printer bug bounty , which is the world ’ s first and only print security bug bounty program . The computer maker is partnering with Australian-founded Bugcrowd to manage the program , which will validate the bug reports , and pay researchers between $ 500 to $ 10,000 , depending on their severity . It ’ s one of Bugcrowd ’ s “ private programs ” so only researchers who are invited can submit bug reports . Printers are a soft spot for organizations because chief information security officers ( CISOs ) usually don ’ t get involved in their purchase , according to a member of HP ’ s security advisory board , MedSec CEO , Justine Bone . “ CISOs are rarely involved in printing purchase decisions yet play a critical role in the overall health and security of their organization , ” said Bone . “ For decades , HP has made cybersecurity a priority rather than an afterthought by engineering business printers with powerful layers of protection . And in doing so , HP is helping to support the valuable role CISOs play in organizations of every size . ”

Home routers are the first and sometimes last line of defense for a network . Despite this fact , many manufacturers of home routers fail to properly audit their devices for security issues before releasing them to the market . As security researchers , we are often disappointed to rediscover that this is not always the case , and that sometimes these vulnerabilities simply fall into our hands during our day-to-day lives . Such is the story of the two NETGEAR vulnerabilities I want to share Vulnerability-related.DiscoverVulnerability with you today : It was a cold and rainy winter night , almost a year ago , when my lovely NETGEAR VEGN2610 modem/router lost connection to the Internet . I was tucked in bed , cozy and warm , there was no way I was going downstairs to reset the modem , `` I will just reboot it through the web panel '' I thought to myself . Unfortunately I could n't remember the password and it was too late at night to check whether my roommates had it . I considered my options : Needless to say , I chose the latter . I thought to myself , `` Well , it has a web interface and I need to bypass the authentication somehow , so the web server is a good start . '' I started manually fuzzing the web server with different parameters , I tried `` .. / .. '' classic directory traversal and such , and after about 1 minute of fuzzing , I tried `` … '' and I got this response : Fig 1 : unauth.cgi `` Hmm , what is that unauth.cgi thingy ? Luckily for me the Internet connection had come back on its own , but I was now a man on a mission , so I started to look around to see if there were any known vulnerabilities for my VEGN2610 . I started looking up what that `` unauth.cgi '' page could be , and I found 2 publicly disclosed Vulnerability-related.DiscoverVulnerability exploits from 2014 , for different models that manage to do unauthenticated password disclosure . Those two guys found out Vulnerability-related.DiscoverVulnerability that the number we get from unauth.cgi can be used with passwordrecovered.cgi to retrieve the credentials . I tested the method described in both , and voila - I have my password , now I can go to sleep happy and satisfied . I woke up the next morning excited by the discovery , I thought to myself : `` 3 routers with same issue… Coincidence ? Luckily , I had another , older NETGEAR router laying around ; I tested it and bam ! I started asking people I knew if they have NETGEAR equipment so I could test further to see the scope of the issue . In order to make life easier for non-technical people I wrote a python script called netgore , similar to wnroast , to test for this issue . I am aware of that and that is why I do n't work as a full time programmer . As it turned out , I had an error in my code where it did n't correctly take the number from unauth.cgi and passed gibberish to passwordrecovered.cgi instead , but somehow it still managed to get the credentials ! After few trials and errors trying to reproduce the issue , I found Vulnerability-related.DiscoverVulnerability that the very first call to passwordrecovered.cgi will give out the credentials no matter what the parameter you send . This is totally new bug that I have n't seen anywhere else . When I tested both bugs on different NETGEAR models , I found Vulnerability-related.DiscoverVulnerability that my second bug works on a much wider range of models . A full description of both of these findings as well as the python script used for testing can be found here . The vulnerabilities have been assigned Vulnerability-related.DiscoverVulnerability CVE-2017-5521 and TWSL2017-003 . The Responsible Disclosure Process This is where the story of discovery ends and the story of disclosure begins . Following our Responsible Disclosure policy we sent both findings Vulnerability-related.DiscoverVulnerability to NETGEAR in the beginning of April 2016 . In our initial contact , the first advisory had 18 models listed as vulnerable Vulnerability-related.DiscoverVulnerability , although six of them did n't have the vulnerability in the latest firmware . Perhaps it was fixed Vulnerability-related.PatchVulnerability as part of a different patch cycle . The second advisory included 25 models , all of which were vulnerable Vulnerability-related.DiscoverVulnerability in their latest firmware version . In June NETGEAR published a notice that provided Vulnerability-related.PatchVulnerability a fix for a small subset of vulnerable routers and a workaround for the rest . They also made the commitment to working toward 100 % coverage for all affected routers . The notice has been updated several time since then and currently contains 31 vulnerable models , 18 of which are patched Vulnerability-related.PatchVulnerability now , and 2 models that they previously listed as vulnerable Vulnerability-related.DiscoverVulnerability , but are now listed as not vulnerable Vulnerability-related.DiscoverVulnerability . In fact , our tests show that one of the models listed as not vulnerable Vulnerability-related.DiscoverVulnerability ( DGN2200v4 ) is , in fact , vulnerable and this can easily be reproduced with the POC provided in our advisory . Over the past nine months we attempted to contact NETGEAR multiple times for clarification and to allow them time to patch Vulnerability-related.PatchVulnerability more models . Over that time we have found Vulnerability-related.DiscoverVulnerability more vulnerable models that were not listed in the initial notice , although they were added later . We also discovered Vulnerability-related.DiscoverVulnerability that the Lenovo R3220 router is powered by NETGEAR firmware and it was vulnerable Vulnerability-related.DiscoverVulnerability as well . Luckily NETGEAR did eventually get back to us right before we were set to disclose Vulnerability-related.DiscoverVulnerability these vulnerabilities publicly . We were a little skeptical since our experience to date matched that of other third-party vulnerability researchers that have tried to responsibly disclose Vulnerability-related.DiscoverVulnerability to NETGEAR only to be met with frustration . The first was that NETGEAR committed to pushing out firmware to the currently unpatched models on an aggressive timeline . The second change made us more confident that NETGEAR was not just serious about patching Vulnerability-related.PatchVulnerability these vulnerabilities , but serious about changing how they handle third-party disclosure in general . We fully expect this move will not only smooth the relationship between third-party researchers and NETGEAR , but , in the end , will result in a more secure line of products and services . For starters , it affects a large number of models . We have found Vulnerability-related.DiscoverVulnerability more than ten thousand vulnerable devices that are remotely accessible . The real number of affected devices is probably in the hundreds of thousands , if not over a million . The vulnerability can be used by a remote attacker if remote administration is set to be Internet facing .