A total of six publicly known firmware bugs, some of which were first disclosed back in 2021, are still impacting many enterprise specific HP desktops and laptops.
These vulnerabilities were laid to bear by experts from Binarly, which presented the full package of six bugs amid its Black Hat conference this past August. Their published report highlights such devices still affected by these bugs as being HP ZBook workstations, HP Elite 2-in-1 PCs, HP ProBook laptops, HP EliteBook, HP ZHAN notebooks, and more.
Such UEFI-level vulnerabilities can directly impact a user’s device at the very root of the system itself, avoiding detection and making it rather difficult to fully remove. The firmware bugs are rated particularly high on the CVSS v3 scale, proving their impact in such nasty potential cases as remote controlling a PC, data exfiltration, new user creation, and more.
Firmware Vulnerabilities list
Unlike initial Windows 11 bugs, these security flaws directly target the system’s arbitrary code via the System Management Module (SMM), a UEFI firmware on the CPU that runs everything from power interface protocols to system safety functions.
These can be particularly dangerous given that they can, as Binarly itself writes, “bypass security mechanisms provided by UEFI firmware (for example, Secure Boot and some types of memory isolation for hypervisors).” Thus, even a full system reboot won’t have much of an effect on the security flaws if one is already baked into the device.
The six currently known firmware bugs on HP devices are listed below:
- CVE-2022-23930 – rated 8.2 via CVSS v3 as ‘high’
- CVE-2022-31644 – rated 7.5 via CVSS v3 as ‘high’
- CVE-2022-31645 – rated 8.2 via CVSS v3 as ‘high’
- CVE-2022-31646 – rated 8.2 via CVSS v3 as ‘high’
- CVE-2022-31640 – rated 7.5 via CVSS v3 as ‘high’
- CVE-2022-31641 – rated 7.5 via CVSS v3 as ‘high’
With these bugs being publicly known, it allows cybercriminals the ability to build dangerous exploits targeting said flaws in the system. That’s why an official patch out of HP is absolutely necessary for ridding these problems as fast as possible.
Firmware bugs status
HP has already publicly acknowledged three of the aforementioned firmware vulnerabilities with security advisories and implemented an additional three BIOS updates to aid some HP models, but not all. Those that have been amended in some capacity are listed below:
- CVE-2022-31644 was amended on most systems in March, besides thin client desktop PCs.
- CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 were amended with security updates on August 9th.
- CVE-2022-31640 and CVE-2022-31641 have had several fixes made to systems in August and September, yet several HP devices are still affected.
Early this September, HP also patched the CVE-2022-38395 firmware bug that specifically targeted the system’s Fusion component, which was utilized to launch HP’s onboard diagnostic tool. Some other security vulnerabilities not listed above, specifically CVE-2021-3808 and CVE-2021-3809 were also amended this past May.
Thus, while a bit slow to the action, HP is clearly addressing these issues and providing patches as swiftly as it can. Specific business notebooks and HP workstations have yet to be patched, though, despite HP seemingly working hard to limit the security flaws across its lineup.
Should HP enterprise device users be concerned?
It’s always safe to be somewhat ahead of the game in terms of these security flaws, given the fact that several of these can directly impact specific security protocols. Due to them being live for so long and somewhat known in the sphere, these firmware vulnerabilities should be approached with caution.
Thus, update your devices regularly. Check BIOS and other specific component details, running checks every so often just to be sure everything is working accordingly. As mentioned previously, these security flaws can even impact a device following an entire system reboot, and you won’t even know it’s there.
Tread with caution, and be sure to keep an eye on any updates out of both HP and Binarly as these problems find their necessary solutions. It’s best to simply beef up your security protocols as fast as possible and ensure your system is safe from malicious firmware attacks.