Safety Report Finds A number of 12 months Previous HP Firmware Vulnerabilities Are Nonetheless Unpatched

Analysis carried out by a staff on the firmware safety agency Binarly reveals that six vulnerabilities stay unpatched in varied enterprise-grade HP laptops and desktops regardless of HP having developed patches for these vulnerabilities. Binarly found three of those vulnerabilities final 12 months and notified HP of their existence in July 2021. After confirming the presence of those vulnerabilities within the firm’s firmware, HP launched patches for these three vulnerabilities in March of this 12 months.

The opposite three firmware vulnerabilities mentioned in Binarly’s analysis have been found and patched extra just lately. Binarly notified HP of those vulnerabilities in April of this 12 months, and HP printed patches at first of August. Binarly publicly disclosed these extra vulnerabilities a day later on the Blackhat 2022 convention.

Nevertheless, despite the fact that HP has launched patches for all six of those vulnerabilities, the corporate nonetheless hasn’t utilized the patches to its newest firmware. Final week, HP launched a firmware replace for laptops in its business laptop computer U99 household, however a FwHunt scan carried out by the Linux Vendor Firmware Service (LVFS) detected the presence of the six vulnerabilities found by Binarly. These vulnerabilities stay in HP’s firmware despite the fact that the corporate launched patches for 3 of those vulnerabilities a month in the past, and it’s been six months since HP launched patches for the opposite three.

All six of the vulnerabilities are fairly critical, as menace actors may exploit them to deprave System Administration Module (SMM) reminiscence and execute arbitrary code. SMM is meant for use solely by BIOS or UEFI firmware, because it possesses privileges past these of the working system (OS) and any software software program. An attacker may leverage these privileges to bypass safety features and plant malware able to surviving not solely system restarts however presumably OS re-installs. We’ve listed all six of the vulnerabilities beneath so readers can be taught extra about them and test whether or not their very own methods are weak.

CVE ID	Binarly ID	CVSS Severity Ranking
CVE-2022-23930	BRLY-2022-010	8.2 Excessive
CVE-2022-31644	BRLY-2022-011	7.5 Excessive
CVE-2022-31645	BRLY-2022-012	8.2 Excessive
CVE-2022-31646	BRLY-2022-013	8.2 Excessive
CVE-2022-31640	BRLY-2021-046	7.5 Excessive
CVE-2022-31641	BRLY-2021-047	7.5 Excessive