Some HP devices may still be affected by firmware vulnerabilities reported back in July 2021. Firmware vulnerabilities present a significant threat to organizations due to their ability to persist across operating system re-installations.
The most recent roundup of HP firmware vulnerabilities revolve around System Management Modules (SMM) that supersede even an operating system’s kernel. SMM is part of modern UEFI firmware that provides access to low-level hardware control. The ability to operate at a lower level than the operating system presents a significant hurdle for detecting and resolving potential infections.
Researchers at Binarly have indicated the following vulnerabilities as reported and unpatched for months:
- CVE-2022-23930 – Stack-based buffer overflow leading to arbitrary code execution. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31644 – Out-of-bounds write on CommBuffer, allowing partial validation bypassing. (CVSS v3 score: 7.5 “High”)
- CVE-2022-31645 – Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31646 – Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31640 – Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications. (CVSS v3 score: 7.5 “High”)
- CVE-2022-31641 – Callout vulnerability in the SMI handler leading to arbitrary code execution. (CVSS v3 score: 7.5 “High”)
In March 2022, HP released a patch for CVE-2022-23930, excluding thin clients.
In August 2022, HP released patches for CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646, CVE-2022-31640 and CVE-2022-31641. The last 3 received fixes throughout August, with the last update landing on September 7, 2022, but many HP workstations remain exposed without an official fix.
While security professionals and journalists often advocate for keeping systems patched, which is important, the onus of resolving these low-level vulnerabilities remains the responsibility of hardware and software vendors. Organizations should communicate with vendors, expressing their expectation of frequent and consistent security patches.