A number of firmware security flaws discovered in HP’s high-end business laptops continue to go unpatched in some devices, even months after they were publicly disclosed.
Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities “cannot be detected by firmware integrity monitoring systems in due to limitations of Trusted Platform Module (TPM) measurement”.
Firmware flaws can have serious implications because they can be exploited by an adversary to achieve long-term persistence on a device in a way that can survive reboots and evade traditional OS-level security protections. .
High-severity weaknesses identified by Binarly affect HP EliteBook devices and relate to a case of memory corruption in the firmware’s System Management Mode (SMM), allowing execution of arbitrary code with highest privileges –
- CVE-2022-23930 (CVSS score: 8.2) – Stack based buffer overflow
- CVE-2022-31640 (CVSS score: 7.5) – Incorrect input validation
- CVE-2022-31641 (CVSS score: 7.5) – Incorrect input validation
- CVE-2022-31644 (CVSS score: 7.5) – Write out of bounds
- CVE-2022-31645 (CVSS score: 8.2) – Write out of bounds
- CVE-2022-31646 (CVSS score: 8.2) – Write out of bounds
Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were notified to HP in July 2021, the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE -2022-31646) reported in April 2022.
It should be noted that CVE-2022-23930 is also one of 16 security flaws previously reported in February to affect multiple HP business models.
SMM, also known as “Ring -2”, is a special purpose mode used by firmware (i.e. UEFI) to manage system-wide functions such as power management, hardware interrupts or other proprietary code designed by the original equipment manufacturer (OEM). .
Identified shortcomings in the SMM component can therefore act as a lucrative attack vector for threat actors to perform nefarious activities with privileges higher than those of the operating system.
Although HP released mitigations to fix the flaws in March and August, the vendor has yet to roll out the fixes for all affected models, potentially exposing customers to the risk of cyberattacks.
“In many cases, firmware is a single point of failure between all layers of the supply chain and the endpoint client device,” Binarly said, adding that “fixing vulnerabilities from a single vendor is not not enough”.
“Due to the complexity of the firmware supply chain, there are gaps that are difficult to fill on the manufacturing side, as this involves issues beyond the control of device vendors.”
The disclosure also comes as the PC maker last week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score: 8.2) in its Support Assistant troubleshooting software.
“It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches HP Performance Tune-up,” the company noted in an advisory.