On August 13, 2018, Checkpoint Research, a security research firm, released information regarding a vulnerability in HP's all-in-one fax machines and possibly other fax device implementations.
The original research write-up can be found at the link below and has been picked up by several press outlets as well:
Specifically, the vulnerability relates to how some implementations of color fax capabilities may be vulnerable to remote code execution via exploiting problems in their image parsing for color JPEG faxes.
The published findings further state that they were unable to find any vulnerabilities that could be exploited related to black and white faxing and the compression schemes used with TIFFs in faxing, noting 'We checked the decompression code for T.4 and T.6 and couldn't find any interesting vulnerabilities there.'
FAXAGE has evaluated the available information from Checkpoint Research and has determined that this vulnerability does not apply to our services. This is the case because FAXAGE offers only black and white faxing, and, thus does not offer the vector required for the exploit.
While we leave opinions to the mind of the reader, we would like to point out for the benefit of all that the way in which this has been portrayed, both by the researcher and by the press in picking it up, is as a general exploit for taking over networks via any network connected fax device. This is simply not the case
. A color fax device with specific problems in its color parsing implementation is required.
Our view is that the vulnerability is being characterized as much more widely applicable than it actually is and that critical details are unfortunately being obscured. We hope that this post helps to debunk some of the sensationalism and give a more balanced view of what this vulnerability actually entails.
Happy safe faxing!