A number of firmware security flaws uncovered in HP’s business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure.
Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities “can’t be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement.”
Firmware flaws can have serious implications as they can be abused by an adversary to achieve long-term persistence on a device in a manner that can survive reboots and evade traditional operating system-level security protections.
The high-severity weaknesses identified by Binarly affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges –
- CVE-2022-23930 (CVSS score: 8.2) – Stack-based buffer overflow
- CVE-2022-31640 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31641 (CVSS score: 7.5) – Improper input validation
- CVE-2022-31644 (CVSS score: 7.5) – Out-of-bounds write
- CVE-2022-31645 (CVSS score: 8.2) – Out-of-bounds write
- CVE-2022-31646 (CVSS score: 8.2) – Out-of-bounds write
Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.
It’s worth noting that CVE-2022-23930 is also one of the 16 security flaws that were previously flagged this February as impacting several enterprise models from HP.
SMM, also called “Ring -2,” is a special-purpose mode used by the firmware (i.e., UEFI) for handling system-wide functions such as power management, hardware interrupts, or other proprietary original equipment manufacturer (OEM) designed code.
Shortcomings identified in the SMM component can, therefore, act as a lucrative attack vector for threat actors to perform nefarious activities with higher privileges than that of the operating system.
Although HP has released mitigations to address the flaws in March and August, the vendor has yet to push the patches for all impacted models, potentially exposing customers to the risk of cyberattacks.
“In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device,” Binarly said, adding, “fixing vulnerabilities for a single vendor is not enough.”
“As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors.”
The disclosure also arrives as the PC maker last week rolled out fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score: 8.2) in its Support Assistant troubleshooting software.
“It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up,” the company noted in an advisory.