Vulnerabilities / Threats

7/31/2018
04:30 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

HP Launches Printer Bug Bounty Program

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP's new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they're becoming a more attractive weak link.

"Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven't reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers," says Shivaun Albright, chief technologist for printing security at HP. "HP's goal is to continually improve and help our customers manage their devices."  

HP previously had worked directly with researchers who discovered flaws in its printers. "We've always actively encouraged researchers to report vulnerabilities," Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). "Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in," Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. "There's a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily," Albright says. "That said, printers may be the most common IoT device an individual uses."  

The Mirai botnet attack in 2016 was a big wake-up call: "[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix," she says.

Printers often get lost in the shuffle when it comes to enterprise security. "There is currently a gap in discussions between decision-makers and those implementing the technology," Albright notes. "We're also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device."

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/3/2018 | 10:34:33 AM
Ancient threat
How many remember, and tested, the infamous google search string for OFFICEJET printers that could access and display the internal web page of officejets AROUND the world and with internal IP address to boot!!!   i tried it an dit worked - impressive failure indeed. 
12 Free, Ready-to-Use Security Tools
Steve Zurier, Freelance Writer,  10/12/2018
Most IT Security Pros Want to Change Jobs
Dark Reading Staff 10/12/2018
Most Malware Arrives Via Email
Dark Reading Staff 10/11/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
Flash Poll
The Risk Management Struggle
The Risk Management Struggle
The majority of organizations are struggling to implement a risk-based approach to security even though risk reduction has become the primary metric for measuring the effectiveness of enterprise security strategies. Read the report and get more details today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17534
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 provide a root terminal on a serial interface without proper access control. This allows attackers with physical access to execute arbitrary commands with root privileges.
CVE-2018-17980
PUBLISHED: 2018-10-15
NoMachine before 5.3.27 and 6.x before 6.3.6 allows attackers to gain privileges via a Trojan horse wintab32.dll file located in the same directory as a .nxs file, as demonstrated by a scenario where the .nxs file and the DLL are in the current working directory, and the Trojan horse code is execute...
CVE-2018-18259
PUBLISHED: 2018-10-15
Stored XSS has been discovered in version 1.0.12 of the LUYA CMS software via /admin/api-cms-nav/create-page.
CVE-2018-18260
PUBLISHED: 2018-10-15
In the 2.4 version of Camaleon CMS, Stored XSS has been discovered. The profile image in the User settings section can be run in the update / upload area via /admin/media/upload?actions=false.
CVE-2018-17532
PUBLISHED: 2018-10-15
Teltonika RUT9XX routers with firmware before 00.04.233 are prone to multiple unauthenticated OS command injection vulnerabilities in autologin.cgi and hotspotlogin.cgi due to insufficient user input sanitization. This allows remote attackers to execute arbitrary commands with root privileges.