A package of six security vulnerabilities impacting the firmware of HP’s business-focused laptops and desktops and some have been left unfixed for months, security researchers said.
Experts at Binarly presented the package of vulnerabilities at the most recent Black Hat conference in August. More than a month after the public disclosure, the vulnerabilities remain unfixed for several HP devices.
The company has submitted 22 vulnerabilities to HP this year, including a package of 16 high-severity flaws in March that also impacted the firmware of enterprise-focused HP products including laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes.
Binarly began notifying HP of the vulnerabilities included in the package of six that were publicly disclosed at Black Hat 2022 as far back as July 2021.
A wide range of HP devices is affected by the flaws, including HP Elite 2-in-1 PCs, HP EliteBook, HP ProBook laptops, HP ZBook workstations, and HP ZHAN notebooks. Some desktops, PoS systems, workstations, and thin clients are also vulnerable.
The patching status for the affected devices varies by each vulnerability, but a significant number of devices remain unpatched across each of the six publicly disclosed flaws.
Firmware vulnerabilities are particularly concerning, for businesses especially, because of the potential significance of the attacks they can facilitate.
If a cyber criminal was able to exploit a UEFI-level vulnerability and install malware at the root of the system, it has the potential to allow a high degree of persistence on the machine and can be difficult to both detect and remove.
Installing UEFI malware or a rootkit would afford an attacker a range of capabilities including the ability to implant a backdoor to the victim’s machine, create new users, remotely control the computer, exfiltrate data, and execute financially-driven campaigns like ransomware, for example.
Binary highlights the devices in its report that have still not received security updates following the public disclosure of the vulnerabilities more than a month ago.
When a vulnerability is publicly disclosed, it means cyber criminals have all the information they need to develop exploits for the flaws. If a device is not patched when a vulnerability is publicly disclosed, a user is then limited in what they can do to prevent an attack.
IT Pro has contacted HP for comment and will update the article if it responds.
Cyber resiliency and end-user performance
Reduce risk and deliver greater business success with cyber-resilience capabilities
All of the six vulnerabilities are privilege escalation flaws that can allow for arbitrary code execution in System Management Mode (SMM) which runs at a higher level of privileges that the operating system (OS) and the hypervisor.
“Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS,” said Binarly.
“Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).”
Each of the individual vulnerabilities can lead to the same outcome but affect different components. They are tracked as:
- CVE-2022-23930 – rated 8.2 on the CVSS v3 severity scale - ‘high’
- CVE-2022-31644 – rated 7.5 on the CVSS v3 severity scale - ‘high’
- CVE-2022-31645 – rated 8.2 on the CVSS v3 severity scale - ‘high’
- CVE-2022-31646 – rated 8.2 on the CVSS v3 severity scale - ‘high’
- CVE-2022-31640 – rated 7.5 on the CVSS v3 severity scale - ‘high’
- CVE-2022-31641 – rated 7.5 on the CVSS v3 severity scale - ‘high’
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.