These bugs were discovered by Binarly team – some last year and some this year – and shared with HP for patching. Though the company released patches for some models, most others are still vulnerable to risks even after a year.
RCE Bugs in HP Enterprise Devices
Researchers at Binarly discovered six vulnerabilities in several of the HP Enterprise devices that could put users at risk of various cyberattacks. The six vulnerabilities are found in the firmware of these HP devices – making it harder to patch for the vendor. Firmware infections can be particularly dangerous, as the malware intruding in them can persist in th victim’s system, even between OS re-installations, thus allowing the attackers more time and room for malicious operations. The six bugs are as below;
CVE-2022-23930 – Stack-based buffer overflow leading to arbitrary code execution. (CVSS v3 score: 8.2 “High”) CVE-2022-31644 – Out-of-bounds write on CommBuffer, allowing partial validation bypassing. (CVSS v3 score: 7.5 “High”) CVE-2022-31645 – Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler. (CVSS v3 score: 8.2 “High”) CVE-2022-31646 – Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution. (CVSS v3 score: 8.2 “High”) CVE-2022-31640 – Improper input validation gives attackers control of the CommBuffer data and opens the path to unrestricted modifications. (CVSS v3 score: 7.5 “High”) CVE-2022-31641 – Callout vulnerability in the SMI handler leading to arbitrary code execution. (CVSS v3 score: 7.5 “High”)
Researchers discovered all the bugs in HP’s SMM (System Management Module) – and warned that exploiting them could lead to memory corruption problems, eventually letting the hackers execute arbitrary code remotely. Though HP has released three security advisories acknowledging these bugs and relevant patches for the BIOS, it’s still hard to secure all the devices. Impacted models include many business notebook series like Elite, Zbook, and ProBook, business desktop PCs like ProDesk, EliteDesk, and ProOne, HP workstations like Z1, Z2, Z4, Zcentral, and even the point of sale systems. Since all these devices haven’t received any patch – even after HP was informed in July 2021, it’s good to assume that HP users of the above devices are at risk and be cautioned of potential attacks.