A number of firmware security flaws uncovered in HP’s
business-oriented high-end notebooks continue to be left unpatched
in some devices even months after public disclosure.
Binarly, which first revealed details[1]
of the issues at the Black Hat USA conference[2] in mid-August 2022, said
the vulnerabilities “can’t be detected by firmware integrity
monitoring systems due to limitations of the Trusted Platform
Module (TPM) measurement.”
Firmware flaws can have serious implications as they can be
abused by an adversary to achieve long-term persistence on a device
in a manner that can survive reboots and evade traditional
operating system-level security protections.
The high-severity weaknesses identified by Binarly affect HP
EliteBook devices and concern a case of memory corruption in the
System Management Mode (SMM) of the firmware, thereby enabling the
execution of arbitrary code with the highest privileges –
- CVE-2022-23930 (CVSS score: 8.2) – Stack-based
buffer overflow - CVE-2022-31640 (CVSS score: 7.5) – Improper
input validation - CVE-2022-31641 (CVSS score: 7.5) – Improper
input validation - CVE-2022-31644 (CVSS score: 7.5) –
Out-of-bounds write - CVE-2022-31645 (CVSS score: 8.2) –
Out-of-bounds write - CVE-2022-31646 (CVSS score: 8.2) –
Out-of-bounds write
Three of the bugs (CVE-2022-23930, CVE-2022-31640, and
CVE-2022-31641) were notified to HP in July 2021, with the
remaining three vulnerabilities (CVE-2022-31644, CVE-2022-31645,
and CVE-2022-31646) reported in April 2022.
It’s worth noting that CVE-2022-23930 is also one of the
16 security flaws[3]
that were previously flagged earlier this February as impacting
several enterprise models from HP.
SMM, also called “Ring -2,” is a special-purpose mode[4]
used by the firmware (i.e., UEFI) for handling system-wide
functions such as power management, hardware interrupts, or other
proprietary original equipment manufacturer (OEM) designed
code.
Shortcomings identified in the SMM component can, therefore, act
as a lucrative attack vector for threat actors to perform nefarious activities[5] with higher privileges
than that of the operating system.
Although HP has released updates[6]
to address[7]
the flaws[8]
in March and August, the vendor has yet to push the patches for all
impacted models, potentially exposing customers to the risk of
cyberattacks.
“In many cases firmware is a single point of failure between all
the layers of the supply chain and the endpoint customer device,”
Binarly said[9], adding, “fixing
vulnerabilities for a single vendor is not enough.”
“As a result of the complexity of the firmware supply chain[10], there are gaps that
are difficult to close on the manufacturing end since it involves
issues beyond the control of the device vendors.”
The disclosure also arrives as the PC maker last week rolled out
fixes for a privilege escalation flaw (CVE-2022-38395, CVSS score:
8.2) in its Support Assistant troubleshooting software.
“It is possible for an attacker to exploit the DLL hijacking
vulnerability and elevate privileges when Fusion launches the HP
Performance Tune-up,” the company noted[11] in an advisory.
References
- ^
revealed
details (binarly.io) - ^
Black
Hat USA conference (www.blackhat.com) - ^
16
security flaws (thehackernews.com) - ^
special-purpose mode
(thehackernews.com) - ^
perform
nefarious activities (thehackernews.com) - ^
updates
(support.hp.com) - ^
address
(support.hp.com) - ^
flaws
(support.hp.com) - ^
said
(binarly.io) - ^
firmware supply chain
(thehackernews.com) - ^
noted
(support.hp.com)
Read more https://thehackernews.com/2022/09/high-severity-firmware-security-flaws.html