[German]There are six serious vulnerabilities in the firmware of HP systems for the business sector (notebooks, desktops, etc.) that have not been fixed by updates for a year. There are still no firmware updates for some HP enterprise systems, although they have been publicly known for a month. That's according to the security team at Binarly, which discussed some of these vulnerabilities in HP EliteBooks at the Black Hat 2022 conference.
Advertising
HP EliteBooks are, after all, not quite inexpensive notebooks that were offered specifically for business use in corporate environments. But then, HP does have desktop systems for business use. I would have expected HP to react promptly to known vulnerabilities and close them.
HP EliteBook 845, Source: HP
However, it looks like that is not the case – because security vendor Binarly writes in the blog post Binarly Finds Six High Severity Firmware Vulnerabilities In HP Enterprise Devices. Even a month after the vulnerabilities became public, some HP enterprise devices have still not received updates.
6 firmware vulnerabilities found
Binarly security researchers found six serious vulnerabilities in various HP product lines and then disclosed them to HP. The vulnerabilities allow for the execution of arbitrary code related to System Management Mode (SMM). The vulnerabilities in question are listed below, along with their CVSSS score.
Advertising
The HP PSIRT team has published the security alert HPSBHF03806 (HP PC BIOS August 2022 Additional Updates for Potential SMM and TOCTOU Vulnerabilities) on August 11, 2022. It states that potential security vulnerabilities have been discovered in the system BIOS of certain HP PC products. The vulnerabilities allow arbitrary code execution, privilege escalation, denial of service and information disclosure.
HP has released BIOS updates for some of the affected devices to address these potential vulnerabilities. However, the status of the firmware updates for a number of devices is still "pending", i.e. no update is available. The list of affected devices (HP Elite, HP Zx etc)) as well as the download links of the available firmware updates can be found in the above linked security alert HPSBHF03806. (via)
