HP Enterprise devices are vulnerable due to six high-severity firmware bugs affecting a wider range of HP Enterprise devices and some of the bugs are publicly exposed since July 2021.
The Binarly security research team provides an in-depth look at some of the Bugs they have discussed at the Black Hat 2022 conference affecting HP EliteBook devices.
Firmware bugs are very dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger in standard security tools.
Unfortunately, HP did not patch these six bugs in HP enterprise devices laptops and desktops still have not received any updates to patch these six bugs.
The six flaws Binarly says HPE has left unpatched for months are:
- CVE-2022-23930 – Stack-based buffer overflow leading to arbitrary code execution. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31644 – Out-of-bounds write on CommBuffer, allowing partial validation bypassing. (CVSS v3 score: 7.5 “High”)
- CVE-2022-31645 – Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31646 – Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution. (CVSS v3 score: 8.2 “High”)
- CVE-2022-31640 – Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications. (CVSS v3 score: 7.5 “High”)
- CVE-2022-31641 – Callout vulnerability in the SMI handler leading to arbitrary code execution. (CVSS v3 score: 7.5 “High”)
Firmware supply chain problems are one of the major challenges for IT Companies and vendors also.