Specific HP PC models’ BIOS has flaws that could allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.
Firmware vulnerabilities are especially harmful since they can enable long-term breaches that would not be detected by regular security measures or cause malware infections that last even after an OS re-installation.
For some HP products, six flaws still remain unpatched:
- CVE-2022-23930 (CVSS score: 8.2): Stack-based buffer overflow enabling arbitrary code execution.
- CVE-2022-31640 (CVSS score: 7.5): Improper input validation gives attackers access to the CommBuffer data and creates a path to unrestricted changes.
- CVE-2022-31641 (CVSS score: 7.5): SMI handler vulnerability that could cause arbitrary code execution
- CVE-2022-31644 (CVSS score: 7.5): Out-of-bounds write on CommBuffer, enabling partial validation bypassing.
- CVE-2022-31645 (CVSS score: 8.2): Out-of-bounds write on CommBuffer because the size of the pointer sent to the SMI handler wasn’t checked.
- CVE-2022-31646 (CVSS score: 8.2): Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution.
HP Advisories Available
Security updates for CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 were announced in an advisory in August. Still, many BIOS updates are pending for the following products:
- Business notebook PCs: Elite, Zbook, ProBook
- Business desktop PCs: ProDesk, EliteDesk, ProOne
- Point of sale systems
- HP workstations: Z1, Z2, Z4, Zcentral
CVE-2022-23930 lacks fixes for thin client PCs, even though it was fixed on all other systems back in March. Details can be found in February’s advisory.
CVE-2022-31640 and CVE-2022-31641 have been getting fixes since August, but many HP workstations are still vulnerable and waiting for fixes. Check here for future updates.
Updates are Expected
After being informed of CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 in July 2021 and of the remaining three vulnerabilities in April 2022, the vendor had between four months and more than a year to release patches.
While waiting for security updates, users are advised to mitigate by keeping their firmware safe. Basic practices include validating applications before execution and disabling debug ports if open. Beware of unofficial firmware updates.
FwHunt rules for detection are available on GitHub, published by Binarly.