Researchers publicly warn that multiple HP firmware vulnerabilities remain unpatched after...

Cal Jeffrey

Posts: 3,663   +1,129
Staff member
In brief: Several HP enterprise devices are running firmware containing as many as six unpatched security holes that allow arbitrary code execution. Some of them are at least a year old, and researchers publicly disclosed all of them over a month ago. As of this writing, all remain unpatched.

At the Black Hat 2022 conference last month, enterprise security firm Binarly disclosed six tracked vulnerabilities in several HP product lines, including EliteBooks. In a blog post last week, it shared the details to the wider public.

All the weaknesses involved a System Management Mode (SMM) memory corruption that opens the window for arbitrary code execution. These vulnerabilities allow an attacker to implant malware in a device's firmware so that it can persist even after a fresh install of the operating system. This persistence is why the holes register as high threats.

"The impact of targeting unprivileged non-SMM DXE runtime drivers or applications by a threat actor is often underestimated," said Binarly. "This kind of malicious DXE driver can bypass Secure Boot and influence further boot stages."

The six vulnerabilities were among 16 high-severity threats that Binary disclosed at the conference. Developers at HP patched 10 of them, but the remaining are still wide open. Whatsmore, the bugs are not new. Researchers discovered three in July 2021 and three in April of this year.

Half the flaws allow buffer overflows because of inappropriate handling of pointers in the CommBuffer. Checks to verify that the buffer is within an expected range are missing. Two others exist because of improper input validation. Binarly says this oversight allows attackers to gain control of the CommBuffer and modify it. The last vulnerability is caused by a lack of sanitation in the CommBuffer. Attackers with control of the buffer can create a stack-based overflow leading to an opportunity for arbitrary code execution in SMM.

"Unfortunately, at the time of writing, some HP enterprise devices (laptops and desktops) have still not received updates to patch the aforementioned vulnerabilities, despite them being publicly disclosed for over a month," Binarly notes.

Researchers privately reported all the flaws to HP as they discovered them, but they remained unpatched. So Binarly used Black Hat 2022 to disclose and discuss the weaknesses to warn enterprise admins of the threats.

Since these vulnerabilities are at the firmware level, full mitigation can only come from HP. However, Binarly has software available on GitHub called FwHunt that can identify if the threats exist in a company's infrastructure. Detection will at least allow administrators to isolate and possibly contain vulnerable machines.

Permalink to story.

 

Uncle Al

Posts: 9,333   +8,533
Can't say I'm surprised .... did some consulting for HP years ago and I was shocked to see a company like this that was overwhelmed with "don't give a damn" employee's. Sadly it came from the top down and I've never seen any kind of change to make them any better .....
 

Mr Majestyk

Posts: 1,455   +1,360
HP worst company around for software support. Our uni used HP for many years and they were a total disaster to maintain. And don't get me started about their woeful printers and drivers. I rate them as being as crap as Acer.
 

Soulburn74

Posts: 125   +67
Good luck getting bios updates after a year or so from most vendors. My personal (asus) laptop's (11th gen) last bios update was from 2021. I will give kudos to Dell though, my work laptop still gets regular bios updates and its 9th gen.
 

johnsonlam.hk

Posts: 18   +7
When a company become a corporation, it's bureaucracy will become the building block and profit is the only target, ripping off customers become usual, no need to ask HP any after-sales service, it cost you money and not able to solve the problem.
 

takaozo

Posts: 423   +650
Good luck getting bios updates after a year or so from most vendors. My personal (asus) laptop's (11th gen) last bios update was from 2021. I will give kudos to Dell though, my work laptop still gets regular bios updates and its 9th gen.

My work horse, a Dell 5300 with a gen8 Intel last available bios update is 21 Aug 2022.
But dont have bios password or OS admin to patch.
 

rmcrys

Posts: 296   +239
Can't say I'm surprised .... did some consulting for HP years ago and I was shocked to see a company like this that was overwhelmed with "don't give a damn" employee's. Sadly it came from the top down and I've never seen any kind of change to make them any better .....

Exactly. I have over the last 2 decades a lot of HP devices (PCs, Printers...) and though I liked a lot the hardware (or most of it...), the software is a complete mess. I had several HUGE drivers´ problems, no connection to my printer, every now and then the printer didn´t connect and I had to reinstall *all* of the suit, not to mention I had to opt-out lots of things that came as "default".

The last drop was when I bought a HP Officejet printer (not discontinued at the time, still commercially available) that after 2.5 years the software didn´t work well anymore with W10 (last updates) and also not with W11 and after contacting HP they told me: "your printer is already out of warranty -2 years in the EU- so we don´t have to support it. Buy a new model or downgrade your windows". What?! I bought an expensive printer and after 2 years no more support?! So I had an old PC and everything I wanted to print I send to that PC and it printed out. As a "plus" for the change, the printer refused to use non-HP ink. It also drank a LOT of ink...

I changed to Canon and MEGA happy!!!

My experience with multifunction printers:
- HP: expensive ink, *horrible* software, black ink takes ages to dry and uses a lot
- Epson: printing heads dry out *very* fast which makes me clean the heads almost weekly > with this, ink cost raises massively (though per page, *if* printing heads didn´t block so frequently... the cost would be low)
- Canon: I´m on my first multifunction and though the ink storage is very small (and expensive), I don´t print that much. ATM zero issues with dry/blocked printing heads and the software is the best ATM. Very happy.