California-based HP Inc. has been prominent in the manufacturing and marketing of digital printers, and both personal and portable computers for years. However, since last year, it has been reported that several HP computers used in the business environment have shown flaws that put the systems in a vulnerable situation. Learn all the details in the following lines.
Read: Los Angeles school district was the victim of a ransomware attack
HP devices have critical vulnerabilities
Binarly was the first to discover these flaws and report them to the Palo Alto-based company in July 2021. But by 2022, these flaws have not been fixed, and the patch has not been released. By April of this year, three more vulnerabilities were reported, which still do not have security updates.
The only thing HP did was to acknowledge some of these flaws publicly at the Black Hat 2022 event, although many experts still don’t understand the company’s reasons for not releasing updates with security patches. The same researchers discovered that all the vulnerabilities are of the SMM (System Management Module) type: memory corruption problems leading to arbitrary code execution.
As specified in Bleeping Computer: “SMM is part of the UEFI firmware that provides system-wide functions like low-level hardware control and power management. The privileges of the SMM sub-system (ring -2) exceed those of the operating system kernel (ring 0), so flaws impacting the SMM can invalidate security features like Secure Boot, create invisible backdoors (for the victim), and enable intruders to install persistent malware implants.”
Binarly says in its report that the six flaws found in HP equipment are the following:
- CVE-2022-23930 – CVSS v3 score: 8.2 “High”.
- CVE-2022-31644 – CVSS v3 score: 7.5 “High”.
- CVE-2022-31645 – CVSS v3 score: 8.2 “High”.
- CVE-2022-31646 – CVSS v3 score: 8.2 “High”.
- CVE-2022-31640 – CVSS v3 score: 7.5 “High”.
- CVE-2022-31641 – CVSS v3 score: 7.5 “High”.
They also clarify that it can be complicated for a single manufacturer to release so many security updates for different devices due to the firmware production chain. So, users of both personal and business computers must trust the security measures they implement, from good antivirus to good use of equipment, systems, and web browsing.
Keep in touch with our blog to read the latest news and innovations in the cybersecurity world.
Photo by ThisisEngineering RAEng on Unsplash.
Facebook: Eagle Tech Corp
LinkedIn: Eagle Tech
YouTube: Eagle Tech Corp