Cybersecurity researchers on Tuesday disclosed sixteen new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices. The shortcomings, which have CVSS scores ranging from 7.5 to 8.8, have been uncovered in HP’s UEFI firmware. The variety of devices affected includes HP laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes. “By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation,” American firmware security company Binarly said in a report shared with researchers. The most severe of the flaws concern a number of memory corruption vulnerabilities in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges.
The vulnerabilities found in UEFI firmware in millions of HP devices was addressed in firmware updates shipped on February 2nd and March 8th. Organizations running HP devices should update to the latest firmware on all of them. Some of the vulnerabilities discovered enable arbitrary code execution with the highest privileges, so it is imperative to upgrade firmware on any HP devices as soon as possible.