Multiple high-severity vulnerabilities affecting a number of HP business notebooks (opens in new tab), business desktop PCs (opens in new tab), point of sale systems, and workstations (opens in new tab), have been sitting unpatched for months on end, researchers have warned.
This could mean countless HP users are at risk of having their endpoints broken, their files stolen, or their digital accounts compromised, as all of the flaws found allow for arbitrary code execution.
What’s more, as the flaws are in the firmware, they can persist even after reinstalling the operating system, experts have warned.
Partial fix
According to Binarly, the company found a total of six vulnerabilities – three in July 2021 and three more in April 2022, all of which are System Management Module (SMM) memory corruption vulnerabilities.
The flaws are tracked as CVE-2022-23930 (8.2), CVE-2022-31644 (7.5), CVE-2022-31645 (8.2), CVE-2022-31646 (8.2), CVE-2022-31640 (7.5), and CVE-2022-31641 (7.5).
Since the disclosure, HP has published three security advisories for three of the flaws, and pushed three BIOS updates, fixing the flaws on some of the models.
However, the company has failed to release any patches for the devices in Elite, Zbook, or ProBook series, as well as for ProDesk, EliteDesk, and ProOne series. HP workstations, including Z1, Z2, Z4, and Zcentral, are also still vulnerable to the flaws.
Even though Binarly warned of the potential risk associated with not having patches for these flaws, the company did stress the difficulties that come with fixing vulnerabilities for a single vendor.
“As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors,” it said in its report.
TechRadar Pro has reached out to HP for a comment on when it plans on releasing fixes for the affected devices, and will update the article if we receive a reply.
Via: BleepingComputer (opens in new tab)
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba