Admins who use HP printers from the LaserJet series in companies should secure the devices with a workaround. Otherwise, attackers could access information that is actually isolated. A security patch is not yet available.
Critical vulnerability
As indicated by a warning messagethe vulnerability is (CVE-2023-1707) with threat level “critical“. However, devices are only vulnerable if the remote configuration tool FutureSmart 5.6 is used in conjunction with the network security protocol IPsec. If this is the case, an attacker could eavesdrop on the communication of network devices in a way that is not described in detail.
The models affected include the HP LaserJet Managed MFP E730, HP LaserJet Managed MFP E73025, E73030 and HP LaserJet Managed E40040. The warning message contains a complete list of the threatened devices including the product numbers.
Security patch in sight
HP states that they can only publish secured firmware versions in the next 90 days. The manufacturer does not currently explain why this is the case. Until then, devices with the above configurations are vulnerable.
In order to still secure devices until the security updates are released, admins must install the older FutureSmart version 5.5.0.3. According to HP, this should happen quickly. The manufacturer’s contribution to the vulnerability contains further information on unaffected firmware versions. It is currently not known whether there are already attacks on the vulnerability.
(of the)