Multiple high-severity firmware bugs in HP enterprise computers remain unpatched, some more than a year after Binarly security researchers disclosed the vulnerabilities to HP and then discussed them at the Black Hat security conference last month.
This means that the vulnerabilities, with severity scores ranging from 7.5 to 8.2, can still be exploited by miscreants looking to perform a range of nefarious deeds, from stealing data to shutting down the machine altogether. And because the bugs were the subject of a Black Hat talk, would-be cybercriminals essentially have a how-to kit available at their disposal.
HP is “aware of potential SMM vulnerabilities reported by Binarly,” according to a spokesperson, who directed The Register to a security alert from March that addressed one of the bugs (CVE-2022-23930).
“Security is always a top priority for HP and we appreciate Binarly’s contributions to help make HP products more secure,” the spokesperson said in an emailed statement. “We encourage all customers to keep their systems updated with the latest software, drivers, and firmware to help protect against vulnerabilities.”
However, patches for three of the bugs (CVE-2022-31644,CVE-2022-31645 and CVE-2022-31646) across multiple business notebooks, desktops, retail point-of-sale systems, and workstations were still listed as “pending” according to an August security bulletin, while CVE-2022-31640 and CVE-2022-31641 remained unpatched in some workstation models and thin-client PCs as of September 9.
HP did not respond to The Register‘s questions about when it would issue fixes for these devices.
Binarly CEO and co-founder Alex Matrosov said his team disclosed the vulnerabilities to HP in July 2021 and April 2022 before discussing the bugs in a Black Hat talk last month and then posting a blog about them last week.
“The main reason for the blog on September 8 was raising additional awareness since we see a lot of issues have been triggered in our clients enterprise environments on completely patched HP devices,” he told The Register.
In the blog, the Binarly security researchers detail six arbitrary code execution vulnerabilities due to System Management Mode (SMM) memory corruption problems. Specifically, these include:
CVE-2022-23930, a stack-based buffer overflow vulnerability that leads to escalating privileges to SMM. CVSS score: 8.2.
CVE-2022-31644, out-of-bounds write, due to improper input validation in a Communication Buffer. This could allow an attacker to bypass Secure Boot and other security mechanisms and install a firmware backdoor in BIOS for persistence. CVSS score: 7.5.
CVE-2022-31645, another out-of-bounds write vulnerability that could also lead to a backdoor in BIOS. CVSS score: 8.2.
CVE-2022-31646, an out-of-bounds write vulnerability based on direct memory manipulation API functionality that leads to privilege escalation. CVSS score: 8.2.
CVE-2022-31640, a callout vulnerability that could allow an attacker to access the SMM and execute arbitrary code. CVSS score: 7.5.
CVE-2022-31641, another SMM callout vulnerability that could lead to arbitrary code execution. CVSS score: 7.5.
When asked if the Binarly researchers had any insight into when HP planned to fix the flaws, Matrosov said he hadn’t heard from the vendor.
“It should be patched already according to the coordinated disclosure timeline on Aug. 10,” he added.
Still, he noted that firmware holes can be especially difficult to fully fix because they typically impact not just one vendor, but everyone that uses the Independent BIOS Developers (IBV) code in their UEFI firmware software.
“Even device vendors sometimes have difficulty identifying all the affected products due to supply chain complexity,” Matrosov said.
To help companies “recover from these repeatable failures,” the company created and open sourced Binarly FwHunt, he added. It also provides a free service that scans UEFI firmware images for vulnerabilities. ®