In short: A number of HP enterprise units are working firmware containing as many as six unpatched safety holes that enable arbitrary code execution. A few of them are at the least a 12 months outdated, and researchers publicly disclosed all of them over a month in the past. As of this writing, all stay unpatched.
On the Black Hat 2022 convention final month, enterprise safety agency Binarly disclosed six tracked vulnerabilities in a number of HP product strains, together with EliteBooks. In a weblog submit final week, it shared the main points to the broader public.
All of the weaknesses concerned a System Administration Mode (SMM) reminiscence corruption that opens the window for arbitrary code execution. These vulnerabilities enable an attacker to implant malware in a tool’s firmware in order that it may persist even after a contemporary set up of the working system. This persistence is why the holes register as excessive threats.
“The impression of focusing on unprivileged non-SMM DXE runtime drivers or functions by a risk actor is commonly underestimated,” stated Binarly. “This type of malicious DXE driver can bypass Safe Boot and affect additional boot levels.”
The six vulnerabilities had been amongst 16 high-severity threats that Binary disclosed on the convention. Builders at HP patched 10 of them, however the remaining are nonetheless large open. Whatsmore, the bugs should not new. Researchers found three in July 2021 and three in April of this 12 months.
Half the issues enable buffer overflows due to inappropriate dealing with of pointers within the CommBuffer. Checks to confirm that the buffer is inside an anticipated vary are lacking. Two others exist due to improper enter validation. Binarly says this oversight permits attackers to achieve management of the CommBuffer and modify it. The final vulnerability is attributable to a scarcity of sanitation within the CommBuffer. Attackers with management of the buffer can create a stack-based overflow resulting in a possibility for arbitrary code execution in SMM.
“Sadly, on the time of writing, some HP enterprise units (laptops and desktops) have nonetheless not acquired updates to patch the aforementioned vulnerabilities, regardless of them being publicly disclosed for over a month,” Binarly notes.
Researchers privately reported all the issues to HP as they found them, however they remained unpatched. So Binarly used Black Hat 2022 to reveal and talk about the weaknesses to warn enterprise admins of the threats.
Since these vulnerabilities are on the firmware degree, full mitigation can solely come from HP. Nonetheless, Binarly has software program out there on GitHub known as FwHunt that may determine if the threats exist in an organization’s infrastructure. Detection will at the least enable directors to isolate and probably comprise susceptible machines.