Waiting for security updates: Some HP computers have been vulnerable for months
Attackers could use firmware vulnerabilities to push malicious code onto certain HP PC models and completely compromise devices.
Security researchers from Binarly warn of six vulnerabilities in HP computers, which are mainly used in the business sector. They state that they reported three gaps to the manufacturer more than a year ago. So far, not all models have been patched.
Firmware infected with malicious code
In a post, the researchers state that these are UEFI firmware vulnerabilities in the System Management Module (SMM). All six vulnerabilities are classified as “high” and attackers could use them to push and execute malicious code on systems. How attacks could proceed in detail is not yet known. Attackers should be able to trigger memory errors in ways that are not described in detail in order to be able to place their own code in memory.
The position of the attackers in the firmware is particularly dangerous because it allows them to anchor malicious code before Windows starts. This means that Windows security mechanisms are ineffective because the code is already running before the system starts. Attackers could also bypass Secure Boot in this way or use backdoors to establish themselves permanently on PCs.
Not all updates are there yet
In March 2022, HP closed a vulnerability (CVE-2022-23930) in all affected systems. Security patches have been available since August for three other vulnerabilities (CVE-2022-31644, CVE-2022-31645, CVE-2022-31646), but not for all devices that are vulnerable. This is also the case with the patches for other vulnerabilities (CVE-2022-31640, CVE-2022-31641). For example, many ProBook, ProOne, Zcentral models are still vulnerable. It is not yet known when the patches will appear. The answer to a request from voonze Security is still pending.