Hewlett-Packard (HP) notebooks are still unpatched, despite the announcement of high-severity bugs last month.
The vulnerabilities were discussed at the Black Hat USA conference and were made public by Binarly. The company noted that the firmware was unable to be detected by monitoring systems due to TPM limitations. These bugs affect HP EliteBooks. Memory corruption in the System Management Mode (SMM) enables execution of arbitrary code.
- CVE-2022-23930 (CVSS score: 8.2) – Stack-based buffer overflow
- CVE-2022-31640 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31641 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31644 (CVSS score: 7.5) – Out-of-bounds write
- CVE-2022-31645 (CVSS score: 8.2) – Out-of-bounds write
- CVE-2022-31646 (CVSS score: 8.2) – Out-of-bounds write
The above flaws were notified to HP in both July of 2021 and April of 2022.
If there are identified shortcomings in the SMM component, it can be utilized as an attack vector for cybercriminals. They can utilize higher privileges than that of the operating system.
While HP released mitigations to address the security vulnerabilities in March and August of this year, they have yet to patch all impacted models. This puts device users at risk of cyber attacks.
Sign up to our mailing list to receive more IT related educational information:
0 comments on “Firmware Security Flaws in HP Enterprise Devices”