Holes in the firmware of computers from HP cannot be fixed for more than a year

A total of six dangerous firmware vulnerabilities affect a wide range of HP devices used in corporate environments. Despite the fact that a number of bugs were known as early as July 2021, some computers are still unpatched.

Holes in the firmware are especially dangerous because they can lead to the installation of malicious software that will function even after reinstalling the operating system. In addition, such malware can easily bypass security tools.

The issue of vulnerable devices from HP was raised by Binarly specialists. In the report , experts write that they talked about some of the breaches from the set at the Black Hat 2022 conference.

Nevertheless, the vendor has left a number of models without a patch, which, of course, opens up these devices for attacks by cybercriminals. The researchers reported the first three bugs to HP in July 2021, and the rest in April 2022.

It turns out that the vendor had four months to fix the flaws in one case, and more than a year in the other. All problems are related to memory corruption in the System Management Module (SMM), which leads to code execution.

SMM is part of the UEFI firmware and provides useful features like the ability to control the hardware stuffing. The list of vulnerabilities with identifiers looks like this:

CVE-2022-23930 – Buffer overflow leading to code execution (CVSS v3 8.2, “high risk”) CVE-2022-31644 – CommBuffer out-of-bounds entry to partially bypass validation (CVSS v3 score of 7.5, “high risk”) CVE-2022-31645

Read more

Explore the site

More from the blog

Latest News