Security experts at US-CERT published a Vulnerability Note claiming the researchers found out that there is a possibility to gain access to a line of HP LaserJet printers and hijack unencrypted data using local network. According to the experts, this can be done without the user’s authentication.
The researchers managed to confirm the ability to access the device via telnet without entering password in ten printer models of LaserJet Pro series. This is caused because of the telnet’s debugging shell ability to disable SSL-connection and reveal the passwords to connect the HP ePrint Cloud server.
Christoph von Wittich, who found the vulnerability during the scheduled scanning of computer networks of the company, said that the backdoor can be used in committing DoS-attacks. However, according to the researcher, the factory configuration restricts the access to Internet through the device, reducing the risk of compromise.
HP developers released a patch corresponding vulnerable printers.
