HP BIOS Updates Fix Alarming Vulnerabilities Affecting 200 PCs, Patch ASAP

HP EliteBook X360 1030 G4 (open and angled)
Unlike driver updates, BIOS releases typically arrive far less often—usually when vendors add support for new CPUs, but also occasionally to improve stability and performance, or to address security vulnerabilities. Regarding the latter, HP is pushing out firmware updates for over 200 laptops and desktops to patch a pair of vulnerabilities that, if exploited, would allow an attacker to do very bad things on your PC.

The flaws are being tracked as CVE-2021-3808 and CVE-2021-3809, both with a Common Vulnerability Scoring System Version 3.1 (CVSS 3.1) base score of 8.8, which yields a "High" severity rating. HP provides little other information about the actual flaws in its security advisory, but does list a wide range of affected models.

Most of the affected models include business laptops and desktops, including various EliteBook, ProBook, and ZBook laptops, and a bunch all-in-one desktops (among other models in both categories). However, the flaws also affect dozens of retail point-of-sale PCs, desktop workstations, and thin client models.

BIOS updates to mitigate CVE-2021-3808 and CVE-2021-3809 are available for most of the more than 200 systems and linked in the security advisory, though by our count, there are 23 models that are still pending, including all four affected thin client PC models.

While the security advisory doesn't delve into the technical details, the security researcher who discovered the flaws, Nicholas Starke, provided more information in a blog post.

"This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks," Starke explains.

He goes on to describe how an attacker could exploit the vulnerability, which is a flaw with how the System Management Interrupt Handler (SMI Handler) can be triggered from a kernel execution context within the operating system.

From our reading, the overarching threat with these vulnerabilities is that an attacker could, in theory, plant a rootkit on a machine. That means the malware would still be present even when wiping or outright replacing the storage system (HDD or SSD), because it resides in firmware. Fortunately, there are mitigations in place to prevent this sort of thing, even without the updated BIOS code that HP is rolling out.

That said, if you own an affected PC, do yourself a solid and update the BIOS as soon as possible.