HP: Critical gaps in universal printer drivers allow code smuggling

There are critical security gaps in HP's universal printer drivers for PCL6 and Postscript. Attackers can infiltrate and execute malicious code. Updates are available, which IT managers should install quickly.

HP has published a security bulletin describing the vulnerabilities in the Universal Print Driver for both PCL6 and Postscript. The vulnerabilities are due to the third-party components used in the driver. In particular, these are libjpeg, libpng, OpenSSL and zlib. The vulnerabilities are CVE-2017-12652 (execution of injected code, CVSS 9.8, “critical” risk), CVE-2022-2068 (also execution of subcontracted code, CVSS 9.8, critical), CVE-2023-45853 (information leak, CVSS 9.8, critical) and CVE-2020-14152 (denial of service, CVSS 7.1, high).

Universal drivers for thousands of HP printers

HP's universal drivers support thousands of the manufacturer's printer models and are therefore widely used. If you want to check whether your printer or printers are supported, you can look this up in HP's list. All versions before the current 7.3.0.25919 are affected by the vulnerabilities and are available for PCL6 or Postscript on the HP download page.

The installation is completed with the printer search or its new setup. However, old printer entries that still use older versions of the driver are not deleted. It is unclear whether they automatically use the error-corrected drivers. However, as the printers are newly set up anyway, admins should simply remove the old entries.

The printer drivers rarely receive much attention. However, anyone using HP printers with the universal drivers should update them quickly due to the severity of the security vulnerabilities. This applies to all PCs and laptops in your network, even those that are used less frequently.

(dmk)