HP Business Devices Vulnerable to the Exploitation of Six High-risk Firmware Flaws

Six important rated vulnerabilities, three of which were discovered more than a year ago, still plague an unknown number of HP workstations. According to AI-driven firmware security company Binarly, three vulnerabilities were unearthed in July 2021 and the other three in April 2022.

The vulnerabilities were among 16 security flaws that Binarly publicly revealed at the Black Hat 2022 conference in August 2022. HP has addressed 10 of these bugs but is yet to completely patch the remaining six vulnerabilities affecting the device firmware, specifically the System Management Mode (SMM).

Gaps in firmware, an underlying component at the core of any device, tend to have a long-lasting impact on overall system security. Moreover, firmware flaws allow threats to achieve persistence, i.e., they survive system reboot and shutdown cycles, complete reinstallation of the operating system, and hard drive formatting.

“A firmware implant is the final goal for an attacker to maintain persistence. The attacker can install the malicious implant on different levels of the firmware, either as a modified legitimate module or a standalone driver,” explained Binarly.

“The impact of targeting unprivileged non-SMM DXE runtime drivers or applications by a threat actor is often underestimated. This kind of malicious DXE driver can bypass Secure Boot and influence further boot stages.”

Tasks performed by SMM include power management, safety functions, handling memory, chipset errors, and other functions independent of the operating system.

See More: September Patch Tuesday: Microsoft Patches 64 Vulnerabilities Including Two Zero-Day Flaws

The CosmicStrand UEFI rootkit, which was discovered in July this year (though active since 2020), is one of the recent examples of severe firmware vulnerabilities. The rootkit’s implant execution chain runs through the Windows boot process, passing the malicious baton to each successive stage. It resides in ASUS and Gigabyte motherboards with the H81 chipset.

“In many cases firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device,” Binarly added.

The six vulnerabilities impact HP EliteBooks, EliteDesk, ZBooks, Thin Clients, ProBooks, ProDesk, ProOne and ZHAN devices, and point-of-sale systems. They are:

All six are broadly classified as SMM memory corruption vulnerabilities that can lead to arbitrary code execution.

Potential impact includes disrupting a user session on the vulnerable machine, creating new users, taking over control of the system remotely, data theft, and implanting backdoors for malware operations, including ransomware attacks.

An HP advisory datedOpens a new window August 11, 2022, acknowledges CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646. However, the patch release is pending “due to technical or logistical constraints.”

Patch for CVE-2022-23930 is available for most models barring Thin Client and a few ZBooks (advisory last updatedOpens a new window on June 24, 2022). However, CVE-2022-31640 and CVE-2022-31641 remain unpatched on almost three dozen workstations, according to this HP advisoryOpens a new window , last updated on September 7, 2022.

HP will have to collaborate with its vendors to fix the firmware vulnerabilities. “As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors,” Binarly cautioned.

Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!

MORE ON SECURITY VULNERABILITIES

• CosmicStrand UEFI Rootkit From China Exposes Gaping Holes in Firmware Security
• Lazarus Hackers Exploiting Log4j Vulnerabilities to Target U.S. Energy Companies
• 80,000 Hikvision Cameras Still Vulnerable to a Year-old Command Injection Vulnerability