Latest Cyber Security News

You are here: Home / General Cyber Security News / Numerous HP business laptops and desktops vulnerable to publicly disclosed security bugs
September 12, 2022

Getty Illustrations or photos

A package of six security vulnerabilities impacting the firmware of HP’s business-concentrated laptops and desktops and some have been left unfixed for months, security scientists mentioned.

Specialists at Binarly presented the package deal of vulnerabilities at the most latest Black Hat meeting in August. A lot more than a thirty day period right after the general public disclosure, the vulnerabilities remain unfixed for quite a few HP products.

✔ Approved From Our Partners
AOMEI Backupper Lifetime

Protect and backup your data using AOMEI Backupper. AOMEI Backupper takes secure and encrypted backups from your Windows, hard drives or partitions. With AOMEI Backupper you will never be worried about loosing your data anymore.

Get AOMEI Backupper with 72% discount from an authorized distrinutor of AOMEI: SerialCart® (Limited Offer).

➤ Activate Your Coupon Code


The organization has submitted 22 vulnerabilities to HP this yr, like a offer of 16 substantial-severity flaws in March that also impacted the firmware of organization-concentrated HP solutions like laptops, desktops, level-of-sale (PoS) programs, and edge computing nodes.

Binarly commenced notifying HP of the vulnerabilities involved in the deal of six that have been publicly disclosed at Black Hat 2022 as significantly again as July 2021.

A vast assortment of HP devices is influenced by the flaws, including HP Elite 2-in-1 PCs, HP EliteBook, HP ProBook laptops, HP ZBook workstations, and HP ZHAN notebooks. Some desktops, PoS units, workstations, and skinny purchasers are also vulnerable.

The patching position for the influenced devices varies by every vulnerability, but a important variety of products keep on being unpatched across every of the 6 publicly disclosed flaws.

HP has released a few security advisories (1, 2, 3) that address each of the 6 flaws located by Binarly, and the patching standing for every single unit can be uncovered in the dropdown menus. 

Firmware vulnerabilities are specifically concerning, for corporations particularly, mainly because of the potential significance of the attacks they can aid. 

If a cyber felony was able to exploit a UEFI-stage vulnerability and set up malware at the root of the program, it has the opportunity to enable a superior diploma of persistence on the equipment and can be difficult to each detect and remove.

Putting in UEFI malware or a rootkit would afford an attacker a variety of abilities such as the ability to implant a backdoor to the victim’s device, create new customers, remotely regulate the pc, exfiltrate info, and execute financially-pushed campaigns like ransomware, for example.

Binary highlights the gadgets in its report that have nonetheless not gained security updates pursuing the public disclosure of the vulnerabilities additional than a month back.

When a vulnerability is publicly disclosed, it suggests cyber criminals have all the information they need to have to build exploits for the flaws. If a gadget is not patched when a vulnerability is publicly disclosed, a user is then minimal in what they can do to protect against an attack.

IT Pro has contacted HP for remark and will update the article if it responds.

Firmware bugs

All of the 6 vulnerabilities are privilege escalation flaws that can enable for arbitrary code execution in Technique Management Manner (SMM) which runs at a increased amount of privileges that the functioning technique (OS) and the hypervisor.

“Running arbitrary code in SMM additionally bypasses SMM-primarily based SPI flash protections in opposition to modifications, which can help an attacker to set up a firmware backdoor/implant into BIOS,” stated Binarly. 

“Such a destructive firmware code in BIOS could persist across functioning system re-installs. Furthermore, this vulnerability perhaps could be used by destructive actors to bypass security mechanisms presented by UEFI firmware (for instance, Secure Boot and some styles of memory isolation for hypervisors).”

Each of the particular person vulnerabilities can lead to the same end result but influence different factors. They are tracked as:

  • CVE-2022-23930 – rated 8.2 on the CVSS v3 severity scale – ‘high’
  • CVE-2022-31644 – rated 7.5 on the CVSS v3 severity scale – ‘high’
  • CVE-2022-31645 – rated 8.2 on the CVSS v3 severity scale – ‘high’
  • CVE-2022-31646 – rated 8.2 on the CVSS v3 severity scale – ‘high’
  • CVE-2022-31640 – rated 7.5 on the CVSS v3 severity scale – ‘high’
  • CVE-2022-31641 – rated 7.5 on the CVSS v3 severity scale – ‘high’

Some elements of this short article are sourced from:
www.itpro.co.uk

Reader Interactions

Leave a Reply

Your email address will not be published. Required fields are marked *