HP Enterprise Devices Vulnerable to High Severity Firmware Flaws

Jamie Kavanagh
Jamie Kavanagh
September 26th, 2022
glasses-on-desk

HP has to be one of the most recognizable names in tech, with a reputation for delivering solid quality and reliability. Its name is particularly respected in enterprise, which is why you see so many HP laptops in meetings. That may not be such a good move if reports of unpatched firmware flaws are true, though.

Attendees at the Black Hat USA conference in August 2022 were alerted to the vulnerabilities within the TPM system of HP laptops.

Security company Binarly found that vulnerabilities within HP EliteBook devices were vulnerable to attacks that "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted Platform Module (TPM) measurement."

The vulnerabilities have all been registered and are being tracked under:

  • CVE-2022-23930 (CVSS score: 8.2) - Stack-based buffer overflow
  • CVE-2022-31640 (CVSS score: 7.5) - Improper input validation
  • CVE-2022-31641 (CVSS score: 7.5) - Improper input validation
  • CVE-2022-31644 (CVSS score: 7.5) - Out-of-bounds write
  • CVE-2022-31645 (CVSS score: 8.2) - Out-of-bounds write
  • CVE-2022-31646 (CVSS score: 8.2) - Out-of-bounds write

The vulnerabilities are centered around memory corruption in the System Management Mode (SMM) of the firmware.

SMM handles lots of system functions, including power, hardware interrupts, and a wide range of other low level operations. Any weakness in this system can provide access to these systems that won’t necessarily be picked up by traditional security systems.

Apparently, HP has been made aware of the vulnerabilities but a patch or firmware update has yet to arrive.

Fortunately, it’s tough to attack firmware vulnerabilities. Not impossible of course, but tough.

So far, there are no reports of these vulnerabilities being exploited out there in the wild, but that doesn’t mean there aren’t out there.

If you use HP EliteBook laptops in your organization, extra vigilance is going to be key until fixes are released.