IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

Numerous HP business laptops and desktops vulnerable to publicly disclosed security bugs

Researchers revealed the details of the six vulnerabilities at Black Hat in August but many laptops, desktops, and workstations remain vulnerable

A package of six security vulnerabilities impacting the firmware of HP’s business-focused laptops and desktops and some have been left unfixed for months, security researchers said.

Experts at Binarly presented the package of vulnerabilities at the most recent Black Hat conference in August. More than a month after the public disclosure, the vulnerabilities remain unfixed for several HP devices.

The company has submitted 22 vulnerabilities to HP this year, including a package of 16 high-severity flaws in March that also impacted the firmware of enterprise-focused HP products including laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes.

Binarly began notifying HP of the vulnerabilities included in the package of six that were publicly disclosed at Black Hat 2022 as far back as July 2021.

A wide range of HP devices is affected by the flaws, including HP Elite 2-in-1 PCs, HP EliteBook, HP ProBook laptops, HP ZBook workstations, and HP ZHAN notebooks. Some desktops, PoS systems, workstations, and thin clients are also vulnerable.

The patching status for the affected devices varies by each vulnerability, but a significant number of devices remain unpatched across each of the six publicly disclosed flaws.

HP has published three security advisories (1, 2, 3) that cover each of the six flaws found by Binarly, and the patching status for each device can be found in the dropdown menus. 

Firmware vulnerabilities are particularly concerning, for businesses especially, because of the potential significance of the attacks they can facilitate. 

If a cyber criminal was able to exploit a UEFI-level vulnerability and install malware at the root of the system, it has the potential to allow a high degree of persistence on the machine and can be difficult to both detect and remove.

Installing UEFI malware or a rootkit would afford an attacker a range of capabilities including the ability to implant a backdoor to the victim’s machine, create new users, remotely control the computer, exfiltrate data, and execute financially-driven campaigns like ransomware, for example.

Binary highlights the devices in its report that have still not received security updates following the public disclosure of the vulnerabilities more than a month ago.

When a vulnerability is publicly disclosed, it means cyber criminals have all the information they need to develop exploits for the flaws. If a device is not patched when a vulnerability is publicly disclosed, a user is then limited in what they can do to prevent an attack.

IT Pro has contacted HP for comment and will update the article if it responds.

Firmware bugs

Related Resource

Cyber resiliency and end-user performance

Reduce risk and deliver greater business success with cyber-resilience capabilities

Whitepaper cover with title and text, and image of pyramid cyber-resilience modelFree Download

All of the six vulnerabilities are privilege escalation flaws that can allow for arbitrary code execution in System Management Mode (SMM) which runs at a higher level of privileges that the operating system (OS) and the hypervisor.

“Running arbitrary code in SMM additionally bypasses SMM-based SPI flash protections against modifications, which can help an attacker to install a firmware backdoor/implant into BIOS,” said Binarly. 

“Such a malicious firmware code in BIOS could persist across operating system re-installs. Additionally, this vulnerability potentially could be used by malicious actors to bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).”

Each of the individual vulnerabilities can lead to the same outcome but affect different components. They are tracked as:

  • CVE-2022-23930 – rated 8.2 on the CVSS v3 severity scale - ‘high’
  • CVE-2022-31644 – rated 7.5 on the CVSS v3 severity scale - ‘high’
  • CVE-2022-31645 – rated 8.2 on the CVSS v3 severity scale - ‘high’
  • CVE-2022-31646 – rated 8.2 on the CVSS v3 severity scale - ‘high’
  • CVE-2022-31640 – rated 7.5 on the CVSS v3 severity scale - ‘high’
  • CVE-2022-31641 – rated 7.5 on the CVSS v3 severity scale - ‘high’
Featured Resources

Accelerating healthcare transformation through patient-centred medtech solutions

Seize the digital transformation opportunities to streamline patient care and optimise patient outcomes

Free Download

Big payoffs from big bets in AI-powered automation

Automation disruptors realise 1.5 x higher revenue growth

Free Download

Hyperscaler cloud service providers top ten

Why it's important for companies to consider hyperscaler cloud service providers, and why they matter

Free Download

Strategic app modernisation drives digital transformation

Address business needs both now and in the future

Free Download

Recommended

Laser printers vs Inkjet
Hardware

Laser printers vs Inkjet

2 Aug 2022
HP Envy 6432e review: Beauty that’s only skin-deep
peripherals

HP Envy 6432e review: Beauty that’s only skin-deep

27 May 2022
HP Deskjet 4120e review: An incredibly cheap home office MFP
peripherals

HP Deskjet 4120e review: An incredibly cheap home office MFP

25 May 2022
HP Neverstop Laser 1202nw review: A great small office choice
peripherals

HP Neverstop Laser 1202nw review: A great small office choice

19 May 2022

Most Popular

Empowering employees to truly work anywhere
Sponsored

Empowering employees to truly work anywhere

22 Nov 2022
Larger monitors aren't all they're cracked up to be
monitors

Larger monitors aren't all they're cracked up to be

3 Dec 2022
Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine
cyber warfare

Microsoft: Russia increasingly timing cyber attacks with missile strikes in Ukraine

5 Dec 2022