Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

7/31/2018
04:30 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

HP Launches Printer Bug Bounty Program

Bugcrowd will manage new vulnerability disclosure award program for HP enterprise printers.

HP will pay up to $10,000 per vulnerability found in its enterprise printers under a new bug bounty program.

Bugcrowd is heading up HP's new private bug bounty program, with award amounts based on the severity of the flaws. A recent report from Bugcrowd shows an increase of 21% in vulnerabilities discovered in printers.

Printers often get overlooked as potential attack vectors. But with rising threats targeting other Internet of Things (IoT) devices and printers getting outfitted with more advanced functions, they're becoming a more attractive weak link.

"Like the PC, printers have become incredibly powerful devices, increasing in storage and processing power. However, we haven't reached awareness to secure print devices, and all the good security practices that are employed to protect PCs and other important nodes in the network are not being deployed with consistency to printers," says Shivaun Albright, chief technologist for printing security at HP. "HP's goal is to continually improve and help our customers manage their devices."  

HP previously had worked directly with researchers who discovered flaws in its printers. "We've always actively encouraged researchers to report vulnerabilities," Albright says.

Its new printer bug bounty program calls for researchers to root out firmware flaws, such as cross-site request forgery (CSRF), remote code execution (RCE), and cross-site scripting (XSS). "Bugcrowd and HP have worked with one researcher to physically send [to them] an enterprise grade A3 printer to fully assess all components from the outside in," Albright says.

The program initially is for HP LaserJet Enterprise printers and HP PageWide Enterprise printers and MFPs (A3 and A4 formats).

While IoT devices have received a lot of attention security-wise of late, printers have not. "There's a big focus on connected devices like Web cameras or smart TVs, which are highly relatable to everyone, but not printers necessarily," Albright says. "That said, printers may be the most common IoT device an individual uses."  

The Mirai botnet attack in 2016 was a big wake-up call: "[It] took down the Internet in a major way. The botnet used hacked IoT devices, like webcams and DVRs, but printers were also a part of that mix," she says.

Printers often get lost in the shuffle when it comes to enterprise security. "There is currently a gap in discussions between decision-makers and those implementing the technology," Albright notes. "We're also seeing mismanagement in the deployment of printers leaving critical ports and settings open. This makes it easy for attackers to remotely access the device."

HP recommends that printer customers work closely with their channel partners to use managed print services programs, and that remote workers avoid printing via unsecure Wi-Fi networks, for example.

Related Content:

 

 

 

Black Hat USA returns to Las Vegas with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
8/3/2018 | 10:34:33 AM
Ancient threat
How many remember, and tested, the infamous google search string for OFFICEJET printers that could access and display the internal web page of officejets AROUND the world and with internal IP address to boot!!!   i tried it an dit worked - impressive failure indeed. 
Anamikasinha123
50%
50%
Anamikasinha123,
User Rank: Apprentice
3/31/2020 | 4:57:24 AM
Re: Ancient threat
 Thanks for putting this information . Here is a blog which will help to Fix Missing Network Printer issues in the windows system. The main issue is of outdated drivers if printer stop working. So you should update all the drivers
NSA Appoints Rob Joyce as Cyber Director
Dark Reading Staff 1/15/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2020: The Year in Security
Download this Tech Digest for a look at the biggest security stories that - so far - have shaped a very strange and stressful year.
Flash Poll
Assessing Cybersecurity Risk in Today's Enterprises
Assessing Cybersecurity Risk in Today's Enterprises
COVID-19 has created a new IT paradigm in the enterprise -- and a new level of cybersecurity risk. This report offers a look at how enterprises are assessing and managing cyber-risk under the new normal.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-8567
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver Vault Plugin prior to v0.0.6, Azure Plugin prior to v0.0.10, and GCP Plugin prior to v0.2.0 allow an attacker who can create specially-crafted SecretProviderClass objects to write to arbitrary file paths on the host filesystem, including /var/lib/kubelet/pods.
CVE-2020-8568
PUBLISHED: 2021-01-21
Kubernetes Secrets Store CSI Driver versions v0.0.15 and v0.0.16 allow an attacker who can modify a SecretProviderClassPodStatus/Status resource the ability to write content to the host filesystem and sync file contents to Kubernetes Secrets. This includes paths under var/lib/kubelet/pods that conta...
CVE-2020-8569
PUBLISHED: 2021-01-21
Kubernetes CSI snapshot-controller prior to v2.1.3 and v3.0.2 could panic when processing a VolumeSnapshot custom resource when: - The VolumeSnapshot referenced a non-existing PersistentVolumeClaim and the VolumeSnapshot did not reference any VolumeSnapshotClass. - The snapshot-controller crashes, ...
CVE-2020-8570
PUBLISHED: 2021-01-21
Kubernetes Java client libraries in version 10.0.0 and versions prior to 9.0.1 allow writes to paths outside of the current directory when copying multiple files from a remote pod which sends a maliciously crafted archive. This can potentially overwrite any files on the system of the process executi...
CVE-2020-8554
PUBLISHED: 2021-01-21
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.externalIPs field, to intercept traffic to that IP address. Additionally, an attacker who is able to patch the status (which is considered a privileged operation and should not typicall...