High Severity Vulnerabilities Found in HP Enterprise Devices

  • The Binarly security research team has disclosed six high–severity firmware vulnerabilities the company found over the course of the year.

    First discussed at the Black Hat 2022 conference, the flaws affect HP EliteBook devices and have Common Vulnerability Scoring System (CVSS) scores between 7.5 and 8.2.

    “A firmware implant is the final goal for an attacker to maintain persistence,” Binarly wrote in an advisory last Thursday. “The attacker can install the malicious implant on different levels of the firmware, either as a modified legitimate module or a standalone driver.”

    According to the document, the impact of targeting unprivileged non–system management mode (SMM) driver execution environment (DXE) runtime drivers or applications by a threat actor is often underestimated, and this type of malicious DXE driver can bypass Secure Boot and influence additional boot stages.

    “In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device,” Binarly wrote.

    The company also warned that some of the HP Enterprise vulnerabilities it disclosed at Black Hat have not yet been patched.

    “Unfortunately, at the time of writing, some HP enterprise devices (laptops and desktops) have still not received updates to patch the aforementioned vulnerabilities, despite them being publicly disclosed for over a month,” the advisory reads.

    At the same time, the security company said it has made available in its GitHub repository the FwHunt rules for the HP vulnerabilities discussed in its latest advisory.

    “We encourage defenders and research partners to use these rules to scope, at scale, vulnerable devices in their enterprise infrastructure,” Binarly explained.

    “Additionally, these rules are being pushed to the Linux Vendor Firmware Service (LVFS) to enhance the supply chain security and awareness in enterprise environments worldwide.”

    The Binarly advisory comes weeks after a report by Team82 suggested the number of vulnerability disclosures impacting extended internet of things (XIoT) devices increased by 57% in the first half of 2022.