Gandalf_The_Grey
Level 83
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
- Apr 24, 2016
- 7,262
A set of six high-severity firmware vulnerabilities impacting a broad range of HP Enterprise devices are still waiting to be patched, although some of them were publicly disclosed since July 2021.
Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.
As Binarly highlights in the report, even though it’s been a month since they made some of the flaws public at Black Hat 2022, the vendor hasn’t released security updates for all impacted models, leaving many customers exposed to attacks.
The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.
HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.
CVE-2022-23930 was fixed on all impacted systems in March 2022, except for thin client PCs (check advisory for details).
CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 received security updates on August 9, 2022.
However, many business notebook PCs (Elite, Zbook, ProBook), business desktop PCs (ProDesk, EliteDesk, ProOne), point of sale systems, and also HP workstations (Z1, Z2, Z4, Zcentral) have not received patches yet (check advisory for details).
CVE-2022-31640 and CVE-2022-31641 received fixes throughout August, with the last update landing on September 7, 2022, but many HP workstations remain exposed without an official fix (check advisory for details).
As Binarly comments, fixing firmware flaws is very challenging for a single vendor due to the complexity of the firmware supply chain, so many HP customers will have to accept the risk and ramp up their physical security measures.
Firmware bugs in many HP computer models left unfixed for over a year
A set of six high-severity firmware vulnerabilities impacting a broad range of HP Enterprise devices are still waiting to be patched, although some of them were publicly disclosed since July 2021.
www.bleepingcomputer.com