Many devices from HP, especially in the professional ranges, are impacted by a set of 6 security vulnerabilities with high severity that directly affect the firmware. These vulnerabilities are not fully patched, yet some have been publicly disclosed since July 2021.
What does HP do? Security researchers have traced 3 vulnerabilities at HP in July 2021then 3 other vulnerabilities in April 2022, and it turns out that these vulnerabilities are still not fixed. Yet has been more than 4 months or more than a full year, depending on vulnerabilities. Binarly, the originator of these discoveries, made some of these flaws public during the Black Hat 2022 event, and even with that, HP still has not released security updates for all of them. models concerned (but for some models, yes).
Here is the list of these 6 vulnerabilities that allow executing arbitrary code. These are “memory corruption” type flaws located in the System Management Module component, integrated into the UEFI:
- CVE-2022-23930 – CVSS v3 score of 8.2 out of 10
- CVE-2022-31644 – CVSS v3 score of 7.5 out of 10
- CVE-2022-31645 – CVSS v3 score of 8.2 out of 10
- CVE-2022-31646 – CVSS v3 score of 8.2 out of 10
- CVE-2022-31640 – CVSS v3 score of 7.5 out of 10
- CVE-2022-31641 – CVSS v3 score of 7.5 out of 10
Flaws within firmware are particularly dangerous, as malware that exploits such a vulnerability can persist even when there is an operating system reinstallation.
Are these vulnerabilities fixed?
HP has released three security advisories about different security vulnerabilities, and they provide information about affected models. Here is the list :
Here’s what to remember:
- CVE-2022-23930 has been fixed on all affected systems in March 2022, except thin client PCs
- CVE-2022-31644, CVE-2022-31645et CVE-2022-31646 were fixed by security updates on August 9, 2022
However, many models have yet to receive patches! This is the case for laptops intended for the professional market, such as the Elite, Zbook, ProBook ranges, as well as desktop computers in the ProDesk, EliteDesk, ProOne ranges, but also the Z1, Z2, Z4 and Zcentral ranges.
- CVE-2022-31640 et CVE-2022-31641 have been fixed by hotfixes posted throughout August and until September 7, 2022
Despite everything, HP models remain without patches and are therefore still exposed. It remains to be seen when HP will release the patches for the many models without a solution to date… Last week, it was an important vulnerability in the HP Support Assistant software that had the right to his article.
#flaws #discovered #corrected