Multiple high-severity vulnerabilities affecting a number of HP business notebooks (opens in new tab), business desktop PCs (opens in new tab), point of sale systems, and workstations (opens in new tab), have been sitting unpatched for months on end, researchers have warned.
This could mean countless HP users are at risk of having their endpoints broken, their files stolen, or their digital accounts compromised, as all of the flaws found allow for arbitrary code execution.
What’s more, as the flaws are in the firmware, they can persist even after reinstalling the operating system, experts have warned.
Partial fix
According to Binarly, the company found a total of six vulnerabilities – three in July 2021 and three more in April 2022, all of which are System Management Module (SMM) memory corruption vulnerabilities.
The flaws are tracked as CVE-2022-23930 (8.2), CVE-2022-31644 (7.5), CVE-2022-31645 (8.2), CVE-2022-31646 (8.2), CVE-2022-31640 (7.5), and CVE-2022-31641 (7.5).
Since the disclosure, HP has published three security advisories for three of the flaws, and pushed three BIOS updates, fixing the flaws on some of the models.
However, the company has failed to release any patches for the devices in Elite, Zbook, or ProBook series, as well as for ProDesk, EliteDesk, and ProOne series. HP workstations, including Z1, Z2, Z4, and Zcentral, are also still vulnerable to the flaws.
Even though Binarly warned of the potential risk associated with not having patches for these flaws, the company did stress the difficulties that come with fixing vulnerabilities for a single vendor.
“As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors,” it said in its report.
TechRadar Pro has reached out to HP for a comment on when it plans on releasing fixes for the affected devices, and will update the article if we receive a reply.
Via: BleepingComputer (opens in new tab)
