A number of high severity firmware security flaws remain unpatched in HP enterprise devices.
According to Binarly, they discovered the issues at the Black Hat USA conference in mid-August 2022. Due to the limitations of a Trusted Platform Module (TPM), the vulnerabilities cannot be detected by firmware integrity.
The flaws in the firmware can lead to serious implications, making it possible for adversaries to abuse and cause long term persistence on a device and withstand reboots and evade traditional OS level security protections.
Binarly stated the high-severity firmware security flaws affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware. This enables the adversary to execute the arbitrary code with the highest privileges as mentioned below:
- CVE-2022-23930 (CVSS score: 8.2) – Stack-based buffer overflow
- CVE-2022-31640 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31641 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31644 (CVSS score: 7.5) – Out-of-bounds write
- CVE-2022-31645 (CVSS score: 8.2) – Out-of-bounds write
- CVE-2022-31646 (CVSS score: 8.2) – Out-of-bounds write
All patched vulnerabilities referred to in this article (CVE-2022-23930, CVE-2022-31640, CVE-2022-3164, CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were reported to HP between July and April 2022.
The firmware uses SMM, also known as “Ring -2,” a special-purpose mode used by the firmware (i.e., UEFI) for handling system-wide functions such as power management, hardware interrupts, or other proprietary original equipment manufacturer (OEM) designed code.
Cybercriminals might try to take advantage of the SMM component acting as a lucrative attack vector for threat actors to perform nefarious activities as it grants them more privileges than the operating system.
Earlier in March and August, HP addressed the flaws with updates, though the company is yet to access the releases patches for models impacted, potentially exposing customers to the risks of cyberattacks.
Binary further added, if a vulnerability is found and responses are issued, it would require something like 50 vulnerabilities per day to patch 10,000+ devices with existing procedures.
Manufacturers are hard-pressed to solve gaps in the supply chain since this is difficult for them to control. These gaps exist because manufacturing is an end-to-end process which involves other manufacturers adding software components.
The disclosure came to light after HP rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score: 8.2) earlier last week in its Support Assistant troubleshooting software.
The company mentioned in the advisory, the attackers can be able to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
Multiple Security Vulnerabilities With Baxter’s Internet-Connected Infusion Pumps
Think Like a Hacker to Protect your Digital Life
Ransomware Gangs Adopt New Intermittent Encryption Tactics