HP: six firmware vulnerabilities left unpatched in many business laptops despite public disclosure
The high-severity bugs affect HP Elite 2-in-1 PCs, HP EliteBook, HP ProBook laptops, some workstations, point-of-sale systems and desktop computers
A group of six firmware security vulnerabilities found in HP's high-end business notebooks and PCs remain unpatched in more than a month after their public disclosure.
At the most recent Black Hat conference, which took place in August 2022, experts from Binarly disclosed details of issues impacting HP firmware. The experts said that these flaws "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement."
Firmware flaws can have serious ramifications because they may be used by an attacker to gain long-term persistence on a device in a way that can withstand reboots and avoid conventional operating system-level security measures.
The high-severity bugs discovered by Binarly affect numerous HP products, including HP Elite 2-in-1 PCs, HP EliteBook and HP ProBook laptops, HP ZHAN notebooks, and HP ZBook workstations. Some workstations, point-of-sale systems, and desktop computers are also vulnerable.
The vulnerabilities are tracked as:
- CVE-2022-23930 - Stack-based buffer overflow - 'high' severity (CVSS score: 8.2)
- CVE-2022-31640 - Improper input validation - 'high' severity (CVSS score: 7.5)
- CVE-2022-31641 - Improper input validation - 'high' severity (CVSS score: 7.5)
- CVE-2022-31644 - Out-of-bounds write - 'high' severity (CVSS score: 7.5)
- CVE-2022-31645 - Out-of-bounds write - 'high' severity (CVSS score: 8.2)
- CVE-2022-31646 - Out-of-bounds write - 'high' severity (CVSS score: 8.2)
They are all privilege escalation issues that may lead to the execution of arbitrary code in System Management Mode (SMM), which has higher privileges than the operating system (OS) and the hypervisor.
SMM is a component of the UEFI firmware, which offers system-wide features including power management and low-level hardware control.
The six vulnerabilities affect distinct components, although each can lead to the same outcome.
HP was made aware of three of the problems (CVE-2022-23930, CVE-2022-31640 and CVE-2022-31641) in July 2021, while the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645 and CVE-2022-31646) were reported to the company in April 2022.
HP has released mitigations to address the issues in question in March and August, but customers may be at danger of being subject to cyber attacks as the company has yet to push the patches for all impacted models.
The patching status for the impacted devices varies by each flaw.
High-severity HP Support Assistance bug
The revelation comes as HP addressed a high-severity, privilege escalation bug in its own Support Assistance troubleshooting tool last week.
The issue, which is tracked as CVE-2022-38395, has a severity rating of 'high' and a CVSS severity score of 8.2.
The bug might enable cybercriminals to give their payloads additional privileges in a system after they have gained initial access.
The vulnerability exists in the HP Support Assistant, which comes pre-loaded on all new HP PCs and laptops. It seems to exist especially in the Fusion component, which is used to launch HP Performance Tune-up - a diagnostic utility found in HP Support Assistant.
According to HP's security warning, CVE-2022-38395 is a dynamic link library (DLL) hijacking vulnerability that may lead to privilege escalation.
To safeguard their systems against threats, HP advised customers to upgrade to the most recent version of HP Support Assistant.
"If the system has HP Support Assistant version 8x, HP advises that customers to upgrade to HP Support Assistant version 9 by going to the About section and checking for updates," the advisory says.
"If the system has HP Support Assistant version 9, HP recommends keeping Microsoft Store updates turned on so that the application is always kept up to date."