A number of firmware security flaws uncovered in HP’s small business-oriented substantial-conclusion notebooks continue to be still left unpatched in some gadgets even months immediately after general public disclosure.
Binarly, which 1st uncovered aspects of the issues at the Black Hat United states convention in mid-August 2022, explained the vulnerabilities “cannot be detected by firmware integrity monitoring techniques due to constraints of the Trustworthy Platform Module (TPM) measurement.”
Firmware flaws can have significant implications as they can be abused by an adversary to attain long-expression persistence on a device in a manner that can survive reboots and evade conventional working process-level security protections.
The large-severity weaknesses determined by Binarly impact HP EliteBook products and problem a circumstance of memory corruption in the Technique Management Manner (SMM) of the firmware, therefore enabling the execution of arbitrary code with the maximum privileges –
- CVE-2022-23930 (CVSS rating: 8.2) – Stack-dependent buffer overflow
- CVE-2022-31640 (CVSS score: 7.5) – Improper enter validation
- CVE-2022-31641 (CVSS score: 7.5) – Poor enter validation
- CVE-2022-31644 (CVSS rating: 7.5) – Out-of-bounds create
- CVE-2022-31645 (CVSS score: 8.2) – Out-of-bounds compose
- CVE-2022-31646 (CVSS score: 8.2) – Out-of-bounds generate
3 of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) had been notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.
It truly is really worth noting that CVE-2022-23930 is also 1 of the 16 security flaws that had been beforehand flagged before this February as impacting various organization styles from HP.
SMM, also called “Ring -2,” is a specific-reason manner utilized by the firmware (i.e., UEFI) for dealing with procedure-huge capabilities these as energy management, hardware interrupts, or other proprietary initial gear maker (OEM) designed code.
Shortcomings discovered in the SMM ingredient can, as a result, act as a lucrative attack vector for threat actors to carry out nefarious activities with better privileges than that of the operating method.
Although HP has unveiled updates to tackle the flaws in March and August, the seller has but to drive the patches for all impacted designs, perhaps exposing buyers to the risk of cyberattacks.
“In lots of scenarios firmware is a one place of failure amongst all the levels of the provide chain and the endpoint buyer system,” Binarly claimed, incorporating, “repairing vulnerabilities for a one vendor is not enough.”
“As a end result of the complexity of the firmware provide chain, there are gaps that are difficult to close on the manufacturing end because it includes issues past the command of the machine suppliers.”
The disclosure also arrives as the Laptop maker past week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score: 8.2) in its Guidance Assistant troubleshooting software program.
“It is probable for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP General performance Tune-up,” the business mentioned in an advisory.
Observed this report exciting? Abide by THN on Facebook, Twitter and LinkedIn to browse extra exclusive written content we put up.
Some components of this write-up are sourced from: