[German]Hewlett Packard (HP) has recently published a security advisory. This warning addresses two vulnerabilities in the firmware of over 200 HP models (business and consumer variants) that allow the firmware to be overwritten. The vulnerabilities have been given a security score of 8.8 – updates are available. Furthermore, Intel has issued a security advisory for a vulnerability in the BIOS of Intel systems, which also have a score of 8.2 and allow privilege escalation.
Advertising
First hints for BIOS updates
German blog reader Heiko had already pointed out the issue in a comment and wrote on May 12, 2022 (translated):
HP published a security advisory about two vulnerabilities in the firmware of its devices (business and consumer variants). These vulnerabilities are rated with a score of 8,. These are ACE vulnerabilities, whereby exact details about the attack vectors have not yet been published by HP.
But besides HP, Intel also had to issued with a warning about BIOS vulnerabilities. The Internet Storm Center (SANS ISC) also points to HP's BIOS updates in the following tweet, in addition to an Intel BIOS patch.
HP BIOS updates
HP writes in the advisory HP PC BIOS – May 2022 Security Updates, that vulnerabilities have been discovered in the BIOS (UEFI firmware) of certain HP PC products that could allow arbitrary code execution. The vulnerabilities have been assigned the following CVE codes:
- CVE-2021-3808; CVE-Base-Score 8.8
- CVE-2021-3809; CVE-Base-Score 8.8
No further details of possible attack vectors have yet been released for either CVE. A list of the affected machines as well as information about BIOS firmware updates that fix the vulnerabilities can be found in the HP advisory HP PC BIOS – May 2022 Security Updates. Incidentally, the manufacturer has had to patch serious vulnerabilities in the BIOS several times in recent weeks (Bleeping Computer's colleagues addressed this here).
Advertising
However, Nicholas Starke, the discoverer of one of the vulnerabilities has published a separate blog post giving more details. There is a software system management interrupt handler (SMI handler) registered with SMI code 99 (0x63). The discovered vulnerability could allow an attacker operating with kernel-level privileges (CPL == 0) to escalate their privileges into system management mode (SMM). Running in SMM gives an attacker full privileges over the host to perform further attacks.
Now, one can argue that if the attacker has kernel-level privileges, the baby is already in the well. But the problem is that an attacker could exploit this vulnerability (e.g. via a modified malicious driver) to overwrite the machine's BIOS/UEFI. Malicious routines could then be persistently embedded on the machine, allowing them to survive an OS reboot. HP Sure Start detects that the firmware runtime has been manipulated in many scenarios.
Intel BIOS updates
Processor manufacturer Intel has also published a Security Advisory INTEL-SA-00601 as of May 10, 2022. There are vulnerabilities in the BIOS firmware or BIOS authentication module for some Intel® processors. These vulnerabilities may allow privilege escalation or information disclosure.
- CVE-2021-0154: Improper input validation in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 8.2 High
- CVE-2021-0153: Out-of-bounds write in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 8.2 High
- CVE-2021-33123: Improper access control in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 8.2 High
- CVE-2021-0190: Description: Uncaught exception in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 8.2 High
- CVE-2021-33122: Insufficient control flow management in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 7.9 High
- CVE-2021-0189: Use of out-of-range pointer offset in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 7.5 High
- CVE-2021-33124: Out-of-bounds write in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 7.5 High
- CVE-2021-33103: Unintended intermediary in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 7.5 High
- CVE-2021-0159: Improper input validation in the BIOS authenticated code module for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 7.4 High
- CVE-2021-0188: Return of pointer value outside of expected range in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable an escalation of privilege via local access. CVSS Base Score: 5.3 Medium
- CVE-2021-0155: Unchecked return value in the BIOS firmware for some Intel(R) Processors may allow a privileged user to potentially enable information disclosure via local access. CVSS Base Score: 4.4 Medium
A list of affected CPUs can be found in advisory INTEL-SA-00601, and Intel has issued BIOS updates to mitigate these potential vulnerabilities. Those running machines with the affected CPUs should clarify whether the manufacturer or motherboard vendor provides corresponding BIOS updates.
Advertising
only certain business laptops/desktops/POS/workstation & thin client PCs have bios updates available, guenni.
there are NO such "consumer" HP models listed in the "SoftPaqs and affected products" section of the HP PC BIOS – May 2022 Security Updates page.