Firmware bugs in many HP computer models left unfixed for over a year

Gandalf_The_Grey

Gandalf_The_Grey

Level 76
Thread author
Verified
Honorary Member
Top Poster
Content Creator
Well-known
Apr 24, 2016
6,578
Content source
https://www.bleepingcomputer.com/news/security/firmware-bugs-in-many-hp-computer-models-left-unfixed-for-over-a-year/
A set of six high-severity firmware vulnerabilities impacting a broad range of HP Enterprise devices are still waiting to be patched, although some of them were publicly disclosed since July 2021.

Firmware flaws are particularly dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.

As Binarly highlights in the report, even though it’s been a month since they made some of the flaws public at Black Hat 2022, the vendor hasn’t released security updates for all impacted models, leaving many customers exposed to attacks.

The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.
Click to expand...
HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.

CVE-2022-23930 was fixed on all impacted systems in March 2022, except for thin client PCs (check advisory for details).

CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 received security updates on August 9, 2022.

However, many business notebook PCs (Elite, Zbook, ProBook), business desktop PCs (ProDesk, EliteDesk, ProOne), point of sale systems, and also HP workstations (Z1, Z2, Z4, Zcentral) have not received patches yet (check advisory for details).

CVE-2022-31640 and CVE-2022-31641 received fixes throughout August, with the last update landing on September 7, 2022, but many HP workstations remain exposed without an official fix (check advisory for details).

As Binarly comments, fixing firmware flaws is very challenging for a single vendor due to the complexity of the firmware supply chain, so many HP customers will have to accept the risk and ramp up their physical security measures.
Click to expand...
www.bleepingcomputer.com

Firmware bugs in many HP computer models left unfixed for over a year

A set of six high-severity firmware vulnerabilities impacting a broad range of HP Enterprise devices are still waiting to be patched, although some of them were publicly disclosed since July 2021.
www.bleepingcomputer.com www.bleepingcomputer.com
 
  • Like
  • +Reputation
Reactions: upnorth, Venustus, peterfat11 and 5 others
You must log in or register to reply here.

Similar threads

MuzzMelbourne
    • Like
    • +Reputation
    • Applause
ASUS urges customers to patch critical router vulnerabilities
Replies
2
Views
1,072
News Archive
blackice
blackice
Ink
    • Like
    • +Reputation
Qualcomm says hackers exploit 3 zero-days in its GPU, DSP drivers
Replies
0
Views
945
News Archive
Ink
Ink
MuzzMelbourne
    • Applause
    • +Reputation
Western Digital Blocks Unpatched Devices From Cloud Services
Replies
0
Views
577
News Archive
MuzzMelbourne
MuzzMelbourne

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top