Information security specialists report that six vulnerabilities have not yet been fixed in the firmware of many HP devices used in corporate environments, some of which were publicly disclosed in the summer of 2021.
Binarly specialists attracted attention to this problem. Their report states that it has been a month since they reported bugs in HP firmware at Black Hat 2022, but the vendor has not yet released patches for all affected devices, and many customers are still vulnerable to attacks.
Let me remind you that we wrote that Critical vulnerabilities in HP Teradici PCoIP endanger 15 million endpoints, and also that The developers fixed 16 dangerous vulnerabilities in the UEFI of HP devices.
Back in July 2021, researchers reported three vulnerabilities to HP, and data on three other bugs were disclosed in April 2022. That is, the manufacturer had from four months to a year to develop and release fixes.
Experts warn that bugs in firmware are very dangerous, as they can lead to infection of the machine with malware, which will gain a foothold in the system and retain its presence even after reinstalling the OS. Otherwise, the exploitation of bugs will lead to a long-term compromise that standard security tools will not detect.
The issues found by Binarly are related to the corruption of information in the SMM (System Management Module) memory, which leads to the execution of arbitrary code. SMM is a part of UEFI that is responsible for the operation of system-wide functions, including low-level hardware and power management. The main danger is that the SMM privileges (ring -2) exceed those of the OS kernel (ring 0). Due to this, any vulnerabilities that affect SMM allow you to bypass security mechanisms such as Secure Boot, create invisible backdoors, and attackers get the opportunity to securely gain a foothold in the system.
Binarly analysts report six vulnerabilities:
- CVE-2022-23930 – Stack buffer overflow leading to arbitrary code execution (CVSS score of 8.2);
- CVE-2022-31644 – Write outside of CommBuffer to partially bypass validation (CVSS score 7.5);
- CVE-2022-31645 – Write Out of CommBuffer (CVSS 8.2);
- CVE-2022-31646 – out-of-bounds entry leading to privilege escalation and arbitrary code execution (CVSS score of 8.2);
- CVE-2022-31640 – Incorrect input validation allowing control over CommBuffer data and opening the way to unlimited modifications (CVSS score 7.5);
- CVE-2022-31641 – Callout vulnerability in SMI handler leading to arbitrary code execution (CVSS 7.5).
To date, HP engineers have issued three security bulletins that address these vulnerabilities, as well as three BIOS updates that fix bugs for some affected devices.
So, the CVE-2022-23930 issue was fixed on all affected devices in March 2022, with the exception of machines with thin clients.
Bugs CVE-2022-31644, CVE-2022-31645 and CVE-2022-31646 received fixes on August 9, 2022. However, patches are still missing for many business laptops (including the Elite, Zbook, ProBook series), desktops (ProDesk, EliteDesk, ProOne series), PoS systems, and workstations (Z1, Z2, Z4, Zcentral).
The same is true for the CVE-2022-31640 and CVE-2022-31641 vulnerabilities: patches were released during August, and the most recent update is dated September 7, 2022, but many HP workstations still haven’t received any fixes.
Binarly notes that fixing bugs in firmware is a complex process that is highly dependent on the supply chain, so many HP customers will have to assess the risks and temporarily increase physical security measures.