High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices - GoFuckYourself.com

TheLegacy · 09-15-2022, 09:22 AM

A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure.

Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement."

Firmware flaws can have serious implications as they can be abused by an adversary to achieve long-term persistence on a device in a manner that can survive reboots and evade traditional operating system-level security protections.

The high-severity weaknesses identified by Binarly affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges -

CVE-2022-23930 (CVSS score: 8.2) - Stack-based buffer overflow
CVE-2022-31640 (CVSS score: 7.5) - Improper input validation
CVE-2022-31641 (CVSS score: 7.5) - Improper input validation
CVE-2022-31644 (CVSS score: 7.5) - Out-of-bounds write
CVE-2022-31645 (CVSS score: 8.2) - Out-of-bounds write
CVE-2022-31646 (CVSS score: 8.2) - Out-of-bounds write

Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022.

It's worth noting that CVE-2022-23930 is also one of the 16 security flaws that were previously flagged this February as impacting several enterprise models from HP.

SMM, also called "Ring -2," is a special-purpose mode used by the firmware (i.e., UEFI) for handling system-wide functions such as power management, hardware interrupts, or other proprietary original equipment manufacturer (OEM) designed code.

Shortcomings identified in the SMM component can, therefore, act as a lucrative attack vector for threat actors to perform nefarious activities with higher privileges than that of the operating system.

https://thehackernews.com/2022/09/high-severity-firmware-security-flaws.html?fbclid=IwAR0Q0mCaZ5il9bGNSkqfrrggxixBZ7 kITqYlPdidPPZI3YEsYY1-y7HFUo4

09-15-2022, 09:22 AM	#1
TheLegacy I'm Bi-sexy Industry Role: Join Date: Apr 2003 Location: Brantford, Ontario Posts: 14,587	High-Severity Firmware Security Flaws Left Unpatched in HP Enterprise Devices A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure. Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement." Firmware flaws can have serious implications as they can be abused by an adversary to achieve long-term persistence on a device in a manner that can survive reboots and evade traditional operating system-level security protections. The high-severity weaknesses identified by Binarly affect HP EliteBook devices and concern a case of memory corruption in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges - CVE-2022-23930 (CVSS score: 8.2) - Stack-based buffer overflow CVE-2022-31640 (CVSS score: 7.5) - Improper input validation CVE-2022-31641 (CVSS score: 7.5) - Improper input validation CVE-2022-31644 (CVSS score: 7.5) - Out-of-bounds write CVE-2022-31645 (CVSS score: 8.2) - Out-of-bounds write CVE-2022-31646 (CVSS score: 8.2) - Out-of-bounds write Three of the bugs (CVE-2022-23930, CVE-2022-31640, and CVE-2022-31641) were notified to HP in July 2021, with the remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646) reported in April 2022. It's worth noting that CVE-2022-23930 is also one of the 16 security flaws that were previously flagged this February as impacting several enterprise models from HP. SMM, also called "Ring -2," is a special-purpose mode used by the firmware (i.e., UEFI) for handling system-wide functions such as power management, hardware interrupts, or other proprietary original equipment manufacturer (OEM) designed code. Shortcomings identified in the SMM component can, therefore, act as a lucrative attack vector for threat actors to perform nefarious activities with higher privileges than that of the operating system. https://thehackernews.com/2022/09/high-severity-firmware-security-flaws.html?fbclid=IwAR0Q0mCaZ5il9bGNSkqfrrggxixBZ7 kITqYlPdidPPZI3YEsYY1-y7HFUo4 __________________ Robert "TheLegacy" Warren Skype: robjameswarren RobertWarrenSEO.com