HP pushes out BIOS update addressing high-severity vulnerabilities affecting 200+ models
Check if yours is affectedBy Rob Thubron
In brief: Do you own an HP laptop, desktop, or PoS PC? Then you might want to ensure its BIOS is up to date. The company has just released updates for more than 200 device models that fix two high-severity vulnerabilities in the UEFI Firmware.
As reported by Bleeping Computer, HP has issued an advisory over potential security vulnerabilities that could allow arbitrary code execution with Kernel privileges, which would enable hackers to access to a device's BIOS and plant malware that can't be removed by traditional antivirus software or reinstalling the operating system.
Both the vulnerabilities---CVE-2021-3808 and CVE-2021-3809---have a high-severity CVSS 3.1 base score of 8.8.
HP hasn't revealed any technical details about the vulnerabilities. That was left to security researcher Nicholas Starke, who discovered them but has not been credited by HP despite being told they would be.
I've been working on a vulnerability for six months and the advisory was just made public yesterday. I was not credited anywhere, despite being told by @HP that I would be credited. Here is my blog post with the technical details: https://t.co/RzmXbLeN5Z (PSR-2021-0177 is mine)--- nicholas starke (@nstarke) May 11, 2022
"This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM)," Starke wrote. "Executing in SMM gives an attacker full privileges over the host to further carry out attacks."
Starke added that there are mitigations in some HP models that would need to be bypassed for the vulnerabilities to work, including HP Sure Start system, which detects when the firmware runtime has been tampered with.
The extensive list of devices affected by the vulnerabilities includes business notebook PCs such as the Elite Dragonfly and several EliteBooks and ProBooks; business desktop PCs, including the EliteDesk and EliteOne; retail point-of-sale PCs like the Engage; desktop workstation PCs (Z1, Z2 lines); and four thin client PCs.
You can see the complete list of affected HP devices and the corresponding SoftPaqs here. Not all of them have received the updates yet.