Six high-severity vulnerabilities were found to plague HP laptops and computers. Even though some of the bugs were disclosed over a year ago, researchers say they’re still not fixed.
Vulnerabilities with CVSS scores ranging from 7.5 to 8.2 plague the firmware HP uses in its laptops and computers. Firmware flaws are extremely dangerous as threat actors can install malware, avoiding detection services that the device’s operating system provides.
According to researchers at firmware security firm Binarly, HP was informed about the flaws between July 2021 and April 2022, meaning some of the vulnerabilities have been present for over a year.
The flaws could allow threat actors to execute arbitrary code by exploiting problems in the System Management Module (SMM) memory. SMM is used in the Unified Extensible Firmware Interface (UEFI) to handle power management, system hardware control, and other tasks.
Researchers claim that the vulnerabilities they discovered allow attackers to install malware on different firmware levels, which can lead to privilege escalation. Moreover, the flaws can be used to deactivate the Secure Boot feature and create backdoors to the victims’ device.
Affected HP devices include HP ZBook workstations, HP ProBook, HP EliteBook laptops, HP Elite PCs, and HP ZHAN notebooks.
HP is not the only major vendor to suffer from firmware flaws. Researchers at cybersecurity company ESET recently warned that over 70 models of Lenovo notebook devices are fitted with vulnerable UEFI firmware.
The vulnerabilities affected several Lenovo laptops, such as ThinkBook 13s-IML, ThinkBook 14-IIL, ThinkBook 14-IML, and other laptop models.
The attackers could have exploited the vulnerabilities by creating a non-volatile random-access memory (NVRAM) variable and causing a buffer overflow of the data buffer.
Source:https://cybernews.com/news/hp-left-computer-firmware-flaws-unfixed-for-over-a-year/