October 6, 2022
CyberSecurity Technology

HP Enterprise Computers were left vulnerable to cyberattacks because of unpatched high-severity security vulnerabilities.

silver and black laptop computer

Security researchers have found hidden vulnerabilities in several models of HP’s Business-oriented notebooks that continue to be unpatched, (Sic) Binarily told listeners at the Black Code conference.
It said that these flaws are “difficult to detect with TPM measurements.”

Firmware flaws can have serious implications as they allow an adversary to achieve long-term persistence on a device running in the background, evading traditional operating system security protections.

The high-severity vulnerabilities identified by Binarly affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware, thereby enabling an attacker to execute arbitrary code with highest privileges –

  • CVE-2022-23930 (CVSS score: 8.2) – Stack-based buffer overflow
  • CVE-2022-31640 (CVSS score: 7.5) – Improper input validation
  • CVE-2022-31641 (CVSS score: 7.5) – Improper input validation
  • CVE-2022-31644 (CVSS score: 7.5) – Out-of-bounds write
  • CVE-2022-31645 (CVSS score: 8.2) – Out-of-bounds write
  • CVE-2022-31646 (CVSS score: 8.2) – Out-of-bounds write

Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.

It’s worth noting that CVE-2022-23930 is also one of the 16 security flaws previously flagged this February as impacting several enterprise models from HP.

SMM is a special purpose mode used by the firmware for handling system wide functions such as power management, hardware interrupts or other proprietary code.

Shortcomings identified in the SMM component can, therefore, be used to perform nefarious activities with higher privileges than that of the operating system.

Although HP has released mitigations to address the flaws in March and August, they have yet to push the patches for all impacted models. This means that customers are at risk of cyberattacks until they install the patch

“In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device,” Binarly said. “Fixing vulnerabilities for a single vendor is not enough.”

“As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond control of device vendors.”

The disclosure also arrives as the PC maker last week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score: 8.2) in its Support Assistant troubleshooting software.

“It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when HP Performance Tune-up launches Fusion,” the company noted in an advisory.

Leave a Reply

Your email address will not be published.

Post a blog

Post a Quote