Security Report Finds Several Year Old HP Firmware Vulnerabilities Are Still Unpatched
Research conducted by a team at the firmware security firm Binarly reveals that six vulnerabilities remain unpatched in various enterprise-grade HP laptops and desktops despite HP having developed patches for these vulnerabilities. Binarly discovered three of these vulnerabilities last year and notified HP of their existence in July 2021. After confirming the presence of these vulnerabilities in the company’s firmware, HP released patches for these three vulnerabilities in March of this year.
The other three firmware vulnerabilities discussed in Binarly’s research were discovered and patched more recently. Binarly notified HP of these vulnerabilities in April of this year, and HP published patches at the beginning of August. Binarly publicly disclosed these additional vulnerabilities a day later at the Blackhat 2022 conference.
The other three firmware vulnerabilities discussed in Binarly’s research were discovered and patched more recently. Binarly notified HP of these vulnerabilities in April of this year, and HP published patches at the beginning of August. Binarly publicly disclosed these additional vulnerabilities a day later at the Blackhat 2022 conference.
However, even though HP has released patches for all six of these vulnerabilities, the company still hasn’t applied the patches to its latest firmware. Last week, HP released a firmware update for laptops in its commercial laptop U99 family, but a FwHunt scan performed by the Linux Vendor Firmware Service (LVFS) detected the presence of the six vulnerabilities discovered by Binarly. These vulnerabilities remain in HP’s firmware even though the company released patches for three of these vulnerabilities a month ago, and it’s been six months since HP released patches for the other three.
All six of the vulnerabilities are quite serious, as threat actors could exploit them to corrupt System Management Module (SMM) memory and execute arbitrary code. SMM is intended to be used only by BIOS or UEFI firmware, as it possesses privileges beyond those of the operating system (OS) and any application software. An attacker could leverage these privileges to bypass security features and plant malware capable of surviving not only system restarts but possibly OS re-installs. We’ve listed all six of the vulnerabilities below so readers can learn more about them and check whether their own systems are vulnerable.
All six of the vulnerabilities are quite serious, as threat actors could exploit them to corrupt System Management Module (SMM) memory and execute arbitrary code. SMM is intended to be used only by BIOS or UEFI firmware, as it possesses privileges beyond those of the operating system (OS) and any application software. An attacker could leverage these privileges to bypass security features and plant malware capable of surviving not only system restarts but possibly OS re-installs. We’ve listed all six of the vulnerabilities below so readers can learn more about them and check whether their own systems are vulnerable.
| CVE ID |
Binarly ID | CVSS Severity Rating |
| CVE-2022-23930 |
BRLY-2022-010 | 8.2 High |
| CVE-2022-31644 | BRLY-2022-011 | 7.5 High |
| CVE-2022-31645 |
BRLY-2022-012 | 8.2 High |
| CVE-2022-31646 |
BRLY-2022-013 | 8.2 High |
| CVE-2022-31640 |
BRLY-2021-046 | 7.5 High |
| CVE-2022-31641 |
BRLY-2021-047 | 7.5 High |
