Cleo Communications took advantage of the FCC's EBB program to scam those already struggling with money when the pandemic struck.
The post Low-income consumers preyed on by fake ISP during pandemic, FCC says appeared first on Malwarebytes Labs.

The FCC (Federal Communications Commission) has proposed a fine of $220,210 against Kyle Traxler of Ohio for allegedly establishing the bogus internet provider, Cleo Communications, to scam low-income consumers. The victims believed they were receiving government-approved discounts on internet services and devices during pandemic lockdowns in the US.

In a document posted to its site, the FCC says Traxler “willfully and repeatedly” committed multiple federal wire fraud violations for three months, from May 24, 2021, to August 11, 2021. During this time, Traxler, who was CEO of Cleo Communications, sought to be authorized by the FCC as an ISP provider under the Emergency Broadband Benefit (EBB) program, which the FCC opened to provide subsidized broadband—$50 monthly discounts—to those who had low or lost income when the pandemic hit.

Per the notice, Cleo Communications sold EBB-discounted devices via its website, accepting payments via PayPal, Venmo, credit cards, and interstate wire transfers. However, these products never arrived. When consumers asked for a refund for products or services that never materialized, the company refused, citing its “Terms of Service” as the basis for refusal. Cleo’s terms stated:

    Cleo Communications operates a PREPAID Service. All services are sold as in (sic) and without warranty. Under NO circumstances does Cleo Communications represent any warranty nor provide a refund of any kind for services that are offered [...] Cleo Communications does NOT nor will ever imply or agree upon a refund, credits nor any other refunds of service and monies to be returned to you.
    
    All refunds and credits are up to Cleo at its sole discretion and therefore, charge backs to us via any customer bank is breach of contract at any time and is subject to further legal action up to but not limited to small claims court actions for breach of contract in the amount of what is disputed, any and all legal fees, court fees, attorney fees, filing fees, interest at 9.9%, and a contract breach fee in the amount of $300.00.

In some cases, Cleo threatened to sue them for “terms of service breach”, admin cost for preparing the invoice, and an interest rate.

From the document:

> “Cleo apparently existed for the sole purpose of taking financial advantage of customers under the disguise of being a legitimate EBB Program provider. Cleo Communications has had no business activity outside of the EBB Program and no other business purpose.
> 
> After receiving authorization to participate in the EBB Program and advertising that participation on its website, Cleo apparently never enrolled consumers in the EBB Program or delivered the discounted broadband services or devices for which Cleo received payment from consumers who believed Cleo’s online website representations.”

Complaints received by the FCC eventually triggered the investigation into Cleo Communications and Traxler. The agency interviewed eight of Cleo’s victims from various states, and all shared a very similar story. Cleo never resorted to other schemes that could have defrauded the EBB program directly. Instead, Traxler chose to just scam consumers.

> “Cleo’s schemes to defraud consumers under the pretense of participating in the EBB Program caused severe harm not only in monetary terms to the low-income consumers it preyed upon, but also to the trust and goodwill this or any program needs to achieve its purposes effectively.”

The EBB program was eventually discontinued and replaced by the Affordable Connectivity Program, which offered $30 monthly discounts.

Low-income consumers preyed on by fake ISP during pandemic, FCC says

A flaw in the networking code handling DNS-over-TLS queries may cause `named` to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.
This issue affects BIND 9 versions 9.18.0 through 9.18.18 and 9.18.11-S1 through 9.18.18-S1.

**CVE-2023-4236: named may terminate unexpectedly under high DNS-over-TLS query load**

*   Updated on 20 Sep 2023
*   2 Minutes to read
*   Contributors
    
     
    

*   Print
    
*   Share
    
*   Dark
    
    Light
    

Share feedback

Thanks for sharing your feedback!

**CVE:** CVE-2023-4236

**Document version:** 2.0

**Posting date:** 20 September 2023

**Program impacted:** BIND 9

**Versions affected:**

BIND

*   9.18.0 -> 9.18.18

BIND Supported Preview Edition

*   9.18.11-S1 -> 9.18.18-S1

**Severity:** High

**Exploitable:** Remotely

**Description:**

A flaw in the networking code handling DNS-over-TLS queries may cause named to terminate unexpectedly due to an assertion failure. This happens when internal data structures are incorrectly reused under significant DNS-over-TLS query load.

**Impact:**

A named instance vulnerable to this flaw may terminate unexpectedly when subjected to significant DNS-over-TLS query load.

This flaw does not affect DNS-over-HTTPS code, as that uses a different TLS implementation.

**CVSS Score:** 7.5

**CVSS Vector:** CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

For more information on the Common Vulnerability Scoring System and to obtain your specific environmental score please visit: https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator?vector=AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H&version=3.1.

**Workarounds:**

Disabling listening for DNS-over-TLS connections (by removing listen-on ... tls ... { ... }; statements from the configuration) prevents the affected code paths from being taken, rendering exploitation impossible. However, there is no workaround for this flaw if DNS-over-TLS support is required.

**Active exploits:**

We are not aware of any active exploits.

**Solution:**

Upgrade to the patched release most closely related to your current version of BIND 9:

*   9.18.19

BIND Supported Preview Edition is a special feature preview branch of BIND provided to eligible ISC support customers.

*   9.18.19-S1

**Acknowledgments:**

ISC would like to thank Robert Story from the USC/ISI DNS root server operations team for bringing this vulnerability to our attention.

**Document revision history:**

*   1.0 Early Notification, 13 September 2023
*   2.0 Public disclosure, 20 September 2023

**Related documents:**

See our BIND 9 Security Vulnerability Matrix for a complete listing of security vulnerabilities and versions affected.

**Do you still have questions?** Questions regarding this advisory should be mailed to bind-security@isc.org or posted as confidential GitLab issues at https://gitlab.isc.org/isc-projects/bind9/-/issues/new?issue\[confidential\]=true.

**Note:**

ISC patches only currently supported versions. When possible we indicate EOL versions affected. For current information on which versions are actively supported, please see https://www.isc.org/download/.

**ISC Security Vulnerability Disclosure Policy:**

Details of our current security advisory policy and practice can be found in the ISC Software Defect and Security Vulnerability Disclosure Policy at https://kb.isc.org/docs/aa-00861.

The Knowledgebase article https://kb.isc.org/docs/cve-2023-4236 is the complete and official security advisory document.

**Legal Disclaimer:**

Internet Systems Consortium (ISC) is providing this notice on an "AS IS" basis. No warranty or guarantee of any kind is expressed in this notice and none should be implied. ISC expressly excludes and disclaims any warranties regarding this notice or materials referred to in this notice, including, without limitation, any implied warranty of merchantability, fitness for a particular purpose, absence of hidden defects, or of non-infringement. Your use or reliance on this notice or materials referred to in this notice is at your own risk. ISC may change this notice at any time. A stand-alone copy or paraphrase of the text of this document that omits the document URL is an uncontrolled copy. Uncontrolled copies may lack important information, be out of date, or contain factual errors.

CVE-2023-4236: CVE-2023-4236

IBM Power HMC 7.1.0 through 7.8.0 and 7.3.5 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session.  IBM X-Force ID:  91163.

  

**Problem**

It is possible to inject malicious code while entering user name on HMC Logon screen. This code would get activated when failed login message is displayed in HMC Event Log GUI.

**Resolving The Problem**

**VULNERABILITY DETAILS:**

**CVEID:** _CVE-2014-0883_

**DESCRIPTION:**  
CVSS Base Score: 4.3  
CVSS Temporal Score: See

http://xforce.iss.net/xforce/xfdb/91163

for the current score  
CVSS Environmental Score\*: Undefined  
CVSS Vector: (AV:N/AC:M/Au:N/C:N/I:P/A:N)

**AFFECTED PRODUCTS AND VERSIONS:**  
Power HMC Version 7 Release 7.3.5  
Power HMC Version 7 Release 7.1.0 to 7.8.0

**REMEDIATION:**

  

_VRMF_

_APAR_

_Remediation/First Fix_

_Power HMC_

Version 7 Release 7.7.0 Service Pack 3

MB03778

http://download4.boulder.ibm.com/sar/CMA/HMA/04c01/0/MH01409.readme.html

_Power HMC_

Version 7 Release 7.8.0 Service Pack 1

MB03765

https://www-933.ibm.com/support/fixcentral/

_Power HMC_

Version 7 Release 7.1.0 to 7.6.0

_N/A_

_Please contact IBM Support if you need a fix._

_Power HMC_

Version 7 Release 7.3.5

_N/A_

_Please contact IBM Support if you need a fix._

**_Workaround(s) & Mitigation(s):_**  
No workarounds are necessary if you don’t use View HMC Events GUI.

**REFERENCES:**  
· _Complete CVSS Guide_  
· _On-line Calculator V2_

**RELATED INFORMATION:**

IBM Secure Engineering Web Portal  
IBM Product Security Incident Response Blog

**ACKNOWLEDGEMENT**  
The vulnerability was reported to IBM by Arnold Grossmann, Bundesamt für Informatik und Telekommunikation.

**CHANGE HISTORY**  
27 Feb 2014: Original Copy Published

_\*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash._

**_Note:_** _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY._

\[{"Product":{"code":"SSB6AA","label":"Power System Hardware Management Console Physical Appliance"},"Business Unit":{"code":"BU054","label":"Systems w\\/TPS"},"Component":"HMC","Platform":\[{"code":"PF025","label":"Platform Independent"}\],"Version":"Version Independent","Edition":"","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}\]

CVE-2014-0883: Security Bulletin: Power Hardware Management Console (HMC)

Jenkins Email Extension Plugin 2.96 and earlier does not perform a permission check in a method implementing form validation, allowing attackers with Overall/Read permission to check for the existence of files in the email-templates/ directory in the Jenkins home directory on the controller file system.

CVE-2023-32979: Jenkins Security Advisory 2023-05-16

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

**Name**

CVE-2013-4235

**Description**

shadow: TOCTOU (time-of-check time-of-use) race condition when copying and removing directory trees

**Source**

CVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)

**Debian Bugs**

778950

**Vulnerable and fixed packages**

The table below lists information on source packages.

Source Package

Release

Version

Status

shadow (PTS)

buster

1:4.5-1.1

vulnerable

bullseye

1:4.8.1-1

vulnerable

bookworm, sid

1:4.13+dfsg1-1

fixed

The information below is based on the following data on fixed versions.

Package

Type

Release

Fixed Version

Urgency

Origin

Debian Bugs

shadow

source

(unstable)

1:4.12.3+dfsg1-1

unimportant

778950

**Notes**

https://github.com/shadow-maint/shadow/issues/317  
https://github.com/shadow-maint/shadow/pull/545  
Fixed by: https://github.com/shadow-maint/shadow/commit/e9ae247cb14f977d8881f481488843b10665dba8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/f6f8bcd2a57c06983296485cc028ebdf467ebfd7 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/dab764d0195fc16d1d39330eee8a33e8917826d8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/1d281273b149f2bb992d893d8ca9ffffddc95cc8 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/f606314f0c22fb5d13e5af17a70860d57559e808 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/6cbec2d0aa29d6d25e9eed007ded4e79eb637519 (4.12.2)  
Fixed by: https://github.com/shadow-maint/shadow/commit/faeab50e710131816b261de66141524898c2c487 (4.12.2)  
Regression fix: https://github.com/shadow-maint/shadow/commit/f3bdb28e57e5e38c1e89347976c7d61a181eec32 (4.13)  
Regression fix: https://github.com/shadow-maint/shadow/commit/10cd68e0f04b48363eb32d2c6e168b358fb27810 (4.13)  
Regression fix: https://github.com/shadow-maint/shadow/commit/cde221b8587193f9dc300c0799a530e846c75961 (4.13)

CVE-2013-4235: CVE-2013-4235

Certain HP LaserJet Pro print products are potentially vulnerable to Heap Overflow and/or Remote Code Execution.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Heap Overflow and/or Remote Code Execution.

Severity

High

HP Reference

HPSBPI03841 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Heap Overflow, Elevation of Privilege

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Angelboy (@scwuaptx) from DEVCORE Research Team working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-27973

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0020

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27973: Certain HP LaserJet Pro Print Products - Potential Heap Overflow, Remote Code Execution

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Remote Code Execution.

Severity

High

HP Reference

HPSBPI03840 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Remote Code Execution

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Angelboy (@scwuaptx) from DEVCORE Research Team working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS 3.0

Severity

Vector

CVE-2023-27972

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0019

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27972: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow, Remote Code Execution

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow and/or Elevation of Privilege.

Severity

High

HP Reference

HPSBPI03839 rev. 1

Release date

April 6, 2023

Last updated

April 6, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Elevation of Privilege

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by**: Neodyme working with Trend Micro Zero Day Initiative

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-27971

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0018

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected products**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Model Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2310A or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2310A or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2310A or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2310A or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2310A or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial release

April 6, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-27971: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow, Elevation of Privilege

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to a stack-based buffer overflow related to the compact font format parser.

Severity

High

HP Reference

HPSBPI03853 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Interrupt Labs (ZDI-CAN-19707)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35177

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0060

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

CVE-2023-35177: Certain HP LaserJet Pro Print Products - Potential Buffer Overflow

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

**hp-concentra-wrapper-portlet**

 Actions

Certain HP LaserJet Pro print products are potentially vulnerable to Buffer Overflow when performing a GET request to scan jobs.

Severity

High

HP Reference

HPSBPI03854 rev.01

Release date

June 22, 2023

Last updated

June 22, 2023

Category

Print

Potential Security Impact

Potential Buffer Overflow, Denial of Service

**Relevant Common Vulnerabilities and Exposures (CVE) List**

**Reported by:** Bugscale (ZDI-CAN-19765)

List of CVE IDs    

CVE ID

CVSS

Severity

Vector

CVE-2023-35178

8.8

High

CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Learn more about CVSS 3.0 base metrics, which range from 0 to 10.

PSR-2023-0061

**Resolution**

Update the printer firmware.

HP has provided an updated firmware resolution for potentially affected products listed in the table below. To obtain the updated firmware, go to the HP Customer Support - Software and Driver Downloads, and then search for your printer model.

**Affected LaserJet Pro printers**

Find the products affected and the firmware version that resolves the vulnerabilities.

Affected products    

Product Name

Product Number

Updated Firmware Version

HP Color LaserJet MFP M478-M479 series

W1A75A, W1A76A, W1A77A, W1A81A, W1A82A, W1A79A, W1A80A, W1A78A

002\_2322C or higher

HP Color LaserJet Pro M453-M454 series

W1Y40A, W1Y41A, W1Y46A, W1Y47A, W1Y44A, W1Y45A, W1Y43A

002\_2322C or higher

HP LaserJet Pro M304-M305 Printer series

W1A66A, W1A46A, W1A47A, W1A48A

002\_2322C or higher

HP LaserJet Pro M404-M405 Printer series

W1A51A, W1A53A, W1A56A, W1A63A, W1A52A, 93M22A, W1A58A, W1A59A, W1A60A, W1A57A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 f series

W1A29A, W1A32A, W1A30A, W1A38A, W1A34A, W1A35A

002\_2322C or higher

HP LaserJet Pro MFP M428-M429 series

W1A28A, W1A31A, W1A33A

002\_2322C or higher

**Revision history**

This document has been revised according to the information below.

List of versions   

Version

Description

Date

1

Initial Release

June 22, 2023

**Additional information**

Follow these links for additional information.

Third-party security patches

Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer's patch management policy.

Support

For issues about implementing the recommendations of this Security Bulletin, visit http://www.hp.com/go/contacthp to learn about your HP support options.

Report

To report a potential security vulnerability with any HP supported product, send email to: hp-security-alert@hp.com.

Subscribe

To initiate a subscription to receive future HP Security Bulletin alerts via email, visit https://h41369.www4.hp.com/alerts-signup.php?lang=en&cc=US&jumpid=hpsc\_profile.

Security bulletin archive

To view released Security Bulletins, visit https://support.hp.com/security-bulletins.

It is strongly recommended that security related information being communicated to HP be encrypted using PGP, especially exploit information.

Download HP’s security-alert PGP key

**Legal information**

System management and security procedures must be reviewed frequently to maintain system integrity. HP is continually reviewing and enhancing the security features of software products to provide customers with current secure solutions.

HP is broadly distributing this Security Bulletin in order to bring to the attention of users of the affected HP products the important security information contained in this Security Bulletin. HP recommends that all users determine the applicability of this information to their individual situations and take appropriate action. HP does not warrant that this information is necessarily accurate or complete for all user situations and, consequently, HP will not be responsible for any damages resulting from user's use or disregard of the information provided in this Security Bulletin. To the extent permitted by law, HP disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose, title and non-infringement.

© Copyright 2023 HP Development Company, L.P.

HP Inc. (HP) shall not be liable for technical or editorial errors or omissions contained herein. The information provided is provided "as is" without warranty of any kind. To the extent permitted by law, neither HP nor its affiliates, subcontractors or suppliers will be liable for incidental, special or consequential damages including downtime cost; lost profits; damages relating to the procurement of substitute products or services; or damages for loss of data, or software restoration. The information in this document is subject to change without notice. "HP Inc.," "HP" and the names of HP products referenced herein are trademarks of HP Inc. or its affiliates in the United States and other countries. Other product and company names mentioned herein may be trademarks of their respective owners.

Search

lenovo warranty check/lookup | check warranty status | lenovo support us