Security Report Finds Several Year Old HP Firmware Vulnerabilities Are Still Unpatched
The other three firmware vulnerabilities discussed in Binarly’s research were discovered and patched more recently. Binarly notified HP of these vulnerabilities in April of this year, and HP published patches at the beginning of August. Binarly publicly disclosed these additional vulnerabilities a day later at the Blackhat 2022 conference.
All six of the vulnerabilities are quite serious, as threat actors could exploit them to corrupt System Management Module (SMM) memory and execute arbitrary code. SMM is intended to be used only by BIOS or UEFI firmware, as it possesses privileges beyond those of the operating system (OS) and any application software. An attacker could leverage these privileges to bypass security features and plant malware capable of surviving not only system restarts but possibly OS re-installs. We’ve listed all six of the vulnerabilities below so readers can learn more about them and check whether their own systems are vulnerable.
CVE ID |
Binarly ID | CVSS Severity Rating |
CVE-2022-23930 |
BRLY-2022-010 | 8.2 High |
CVE-2022-31644 | BRLY-2022-011 | 7.5 High |
CVE-2022-31645 |
BRLY-2022-012 | 8.2 High |
CVE-2022-31646 |
BRLY-2022-013 | 8.2 High |
CVE-2022-31640 |
BRLY-2021-046 | 7.5 High |
CVE-2022-31641 |
BRLY-2021-047 | 7.5 High |