Some firmware bugs in HP business devices are yet to be fixed

Six high-severity firmware bugs affecting several HP Enterprise devices are yet to be patched, some of them since July 2021.

The Binarly security research team reported several HP Enterprise devices are affected by six high-severity firmware vulnerabilities that are yet to be patched, and some of them have been disclosed more than a year ago.

The researchers disclosed technical details of some of the vulnerabilities at the Black Hat 2022 conference.

The bugs affect HP EliteBook devices and multiple additional HP product lines, the experts reported that the issues are arbitrary code execution vulnerabilities related to System Management Mode (SMM) of the of the Unified Extensible Firmware Interface (UEFI).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

Below is the list of the vulnerabilities:

Vulnerabilities	BRLY ID	CVE ID	CVSS score
SMM Memory Corruption (Arbitrary Code Execution)	BRLY-2022-010 BRLY-2022-011 BRLY-2022-012 BRLY-2022-013 BRLY-2021-046 BRLY-2021-047	CVE-2022-23930 CVE-2022-31644 CVE-2022-31645 CVE-2022-31646 CVE-2022-31640 CVE-2022-31641	8.2 High 7.5 High 8.2 High 8.2 High 7.5 High 7.5 High

Three vulnerabilities have been reported to HP in July 2021, while other three issues were disclosed in April 2022.

Vulnerabilities in the SMM can be exploited to to bypass the Secure Boot, threat actors can bypass this security feature to create stealth rootkits.

In February 2022, HP addressed the CVE-2022-23930 with the release of HP PC BIOS Security Updates.

The tech giant addressed CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 in August 2022, but several business notebooks and desktops, and workstations have yet to receive updates.

The remaining issues, tracked as CVE-2022-31640 and CVE-2022-31641, were addressed on September 2022, but many workstations are yet to be patched.

“Based on the Binarly’s telemetry data, we are experiencing the same effect. In terms of impact at scale, firmware supply chain problems are one of the major challenges.” concludes Binarly speaking about firmware vulnerabilities. “Approximately 20% of firmware updates contain at least two or three known vulnerabilities (previously disclosed), according to Binarly Platform data (based on enterprise-grade vendors study).”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, firmware bugs)

[adrotate banner=”5″]

[adrotate banner=”13″]