A group of six firmware vulnerabilities in HP business notebooks and high-end PCs remain unpatched more than a month after their public disclosure.
At the latest Black Hat conference, held in August 2022, experts from Binarly Uncover case details Affect HP firmware. Experts said that these flaws “cannot be detected by firmware health monitoring systems due to the limitations of the Trusted Platform Module (TPM) measurement.”
Firmware defects It can have serious repercussions because an attacker could use it to gain long-term stability on the device in a way that it can withstand reboots and avoid traditional OS-level security measures.
The high-severity errors detected by Binarly affect several HP products, including HP Elite 2-in-1 PCs, HP EliteBook and HP ProBook notebooks, HP ZHAN notebooks, and HP ZBook workstations. Some workstations, POS systems, and desktop computers are also at risk.
The vulnerabilities are tracked as follows:
- CVE-2022-23930 – Stack-Based Buffer Overflow – “High” severity (CVSS score: 8.2)
- CVE-2022-31640 – Incorrect Entry Validation – Severity “High” (CVSS score: 7.5)
- CVE-2022-31641 – Invalid Input Validation – Severity “High” (CVSS Score: 7.5)
- CVE-2022-31644 – Writing out of bounds – “High” severity (CVSS score: 7.5)
- CVE-2022-31645 – Writing out of bounds – “High” severity (CVSS score: 8.2)
- CVE-2022-31646 – Writing out of bounds – “High” severity (CVSS score: 8.2)
They are all privilege escalation issues that may result in arbitrary code execution in System Management Mode (SMM), which has higher privileges than the operating system (OS) and the hypervisor.
SMM is a component of the UEFI firmware, which provides system-wide features including power management and low-level hardware control.
The six vulnerabilities affect distinct components, although each can lead to the same result.
Three issues (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were reported to HP in July 2021, while the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022- 31646) to the company in April 2022.
HP released dilutions to address the issues involved in March and August, but customers may be at risk of cyberattacks as the company has not yet paid patches for all affected models.
The patch status of affected devices varies depending on each defect.
HP Support Assistance Very Serious Error
This revelation comes as HP addressed a very severe privilege escalation error in its Support Assistance troubleshooting tool last week.
The problem, which is tracked as CVE-2022-38395, has a severity rating of “high” and a CVSS severity score of 8.2.
The bug could enable cybercriminals to grant their payloads extra privileges in the system after they gain initial access.
The vulnerability exists in HP Support Assistant, which comes preloaded on all new HP PCs and laptops. It appears to be specifically found in the Fusion component, which is used to launch HP Performance Tune-up – a diagnostic tool found in HP Support Assistant.
According to HP’s security warning, CVE-2022-38395 is a DLL hijacking vulnerability that could lead to privilege escalation.
To protect their systems from threats, HP advises customers to upgrade to the latest version of HP Support Assistant.
If the system has HP Support Assistant version 8x, HP advises customers to upgrade to HP Support Assistant version 9 by going to the About section and checking for updates, Consultation Says.
“If your system has HP Support Assistant version 9, HP recommends keeping Microsoft Store updates running so that the app is always up to date.”