Plenty of firmware safety flaws uncovered in HP’s business-oriented high-end notebooks proceed to be left unpatched in some units even months after public disclosure.
Binarly, which first revealed particulars of the problems on the Black Hat USA convention in mid-August 2022, mentioned the vulnerabilities “cannot be detected by firmware integrity monitoring methods as a result of limitations of the Trusted Platform Module (TPM) measurement.”
Firmware flaws can have critical implications as they are often abused by an adversary to attain long-term persistence on a tool in a fashion that may survive reboots and evade conventional working system-level safety protections.
The high-severity weaknesses recognized by Binarly have an effect on HP EliteBook units and concern a case of reminiscence corruption within the System Administration Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the best privileges –
- CVE-2022-23930 (CVSS rating: 8.2) – Stack-based buffer overflow
- CVE-2022-31640 (CVSS rating: 7.5) – Improper enter validation
- CVE-2022-31641 (CVSS rating: 7.5) – Improper enter validation
- CVE-2022-31644 (CVSS rating: 7.5) – Out-of-bounds write
- CVE-2022-31645 (CVSS rating: 8.2) – Out-of-bounds write
- CVE-2022-31646 (CVSS rating: 8.2) – Out-of-bounds write
Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) had been notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.
It is value noting that CVE-2022-23930 can also be one of many 16 safety flaws that had been beforehand flagged earlier this February as impacting a number of enterprise fashions from HP.
SMM, additionally referred to as “Ring -2,” is a special-purpose mode utilized by the firmware (i.e., UEFI) for dealing with system-wide features equivalent to energy administration, {hardware} interrupts, or different proprietary unique gear producer (OEM) designed code.
Shortcomings recognized within the SMM part can, due to this fact, act as a profitable assault vector for menace actors to carry out nefarious actions with increased privileges than that of the working system.
Though HP has launched updates to deal with the flaws in March and August, the seller has but to push the patches for all impacted fashions, probably exposing prospects to the chance of cyberattacks.
“In lots of instances firmware is a single level of failure between all of the layers of the availability chain and the endpoint buyer machine,” Binarly mentioned, including, “fixing vulnerabilities for a single vendor shouldn’t be sufficient.”
“Because of the complexity of the firmware provide chain, there are gaps which are troublesome to shut on the manufacturing finish because it includes points past the management of the machine distributors.”
The disclosure additionally arrives because the PC maker final week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS rating: 8.2) in its Help Assistant troubleshooting software program.
“It’s attainable for an attacker to use the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Efficiency Tune-up,” the corporate famous in an advisory.