Login
Get a Demo
Become a Partner
SOCRadar® Cyber Intelligence Inc. | High-Severity Firmware Flaws in HP Devices Yet to Be Patched
Table Of Content
Home

Resources

Blog
Sep 12, 2022
3 Mins Read

High-Severity Firmware Flaws in HP Devices Yet to Be Patched

Specific HP PC models’ BIOS has flaws that could allow arbitrary code execution, escalation of privilege, denial of service, and information disclosure.

Firmware vulnerabilities are especially harmful since they can enable long-term breaches that would not be detected by regular security measures or cause malware infections that last even after an OS re-installation. 

For some HP products, six flaws still remain unpatched: 

  • CVE-2022-23930 (CVSS score: 8.2): Stack-based buffer overflow enabling arbitrary code execution
  • CVE-2022-31640 (CVSS score: 7.5): Improper input validation gives attackers access to the CommBuffer data and creates a path to unrestricted changes. 
  • CVE-2022-31641 (CVSS score: 7.5): SMI handler vulnerability that could cause arbitrary code execution 
  • CVE-2022-31644 (CVSS score: 7.5): Out-of-bounds write on CommBuffer, enabling partial validation bypassing
  • CVE-2022-31645 (CVSS score: 8.2): Out-of-bounds write on CommBuffer because the size of the pointer sent to the SMI handler wasn’t checked. 
  • CVE-2022-31646 (CVSS score: 8.2): Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution.

HP Advisories Available 

Security updates for CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 were announced in an advisory in August. Still, many BIOS updates are pending for the following products: 

  • Business notebook PCs: Elite, Zbook, ProBook 
  • Business desktop PCs: ProDesk, EliteDesk, ProOne
  • Point of sale systems 
  • HP workstations: Z1, Z2, Z4, Zcentral 

CVE-2022-23930 lacks fixes for thin client PCs, even though it was fixed on all other systems back in March. Details can be found in February’s advisory

CVE-2022-31640 and CVE-2022-31641 have been getting fixes since August, but many HP workstations are still vulnerable and waiting for fixes. Check here for future updates. 

Updates are Expected 

After being informed of CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 in July 2021 and of the remaining three vulnerabilities in April 2022, the vendor had between four months and more than a year to release patches. 

While waiting for security updates, users are advised to mitigate by keeping their firmware safe. Basic practices include validating applications before execution and disabling debug ports if open. Beware of unofficial firmware updates.

FwHunt rules for detection are available on GitHub, published by Binarly. 

Related Articles
SOCRadar® Cyber Intelligence Inc. | ShadowRay Campaign Exploits Critical Ray Framework Vulnerabilities to Compromise AI Workloads Globally
ShadowRay Campaign Exploits Critical Ray Framework Vulnerabilities to Compromise AI Workloads Globally
Apr 26, 2024
SOCRadar® Cyber Intelligence Inc. | APT28 Deploys ‘GooseEgg’ in Attacks Exploiting the Windows Print Spooler Vulnerability, CVE-2022-38028
APT28 Deploys ‘GooseEgg’ in Attacks Exploiting the Windows Print Spooler Vulnerability, CVE-2022-38028
Apr 24, 2024
SOCRadar® Cyber Intelligence Inc. | OpenMetadata Vulnerabilities Allow Attackers to Cryptomine in Kubernetes Environments
OpenMetadata Vulnerabilities Allow Attackers to Cryptomine in Kubernetes Environments
Apr 18, 2024
SOCRadar® Cyber Intelligence Inc. | CVE-2024-21006 in Oracle WebLogic Server – Oracle’s April 2024 Update Brings 441 New Security Patches
CVE-2024-21006 in Oracle WebLogic Server – Oracle’s April 2024 Update Brings 441 New Security Patches
Apr 17, 2024
SOCRadar® Cyber Intelligence Inc. | Committing a Sin, OpenJS Foundation and XZ Utils Incidents: Lessons in Open Source Security
Committing a Sin, OpenJS Foundation and XZ Utils Incidents: Lessons in Open Source Security
Apr 17, 2024