Serious vulnerabilities in HP devices left unpatched for months on end

Representational image of a cybercriminal
Image Credit: Pixabay (Image credit: Pixabay)

Multiple high-severity vulnerabilities affecting a number of HP business notebooks, business desktop PCs, point of sale systems, and workstations, have been sitting unpatched for months on end, researchers have warned. 

This could mean countless HP users are at risk of having their endpoints broken, their files stolen, or their digital accounts compromised, as all of the flaws found allow for arbitrary code execution. 

What’s more, as the flaws are in the firmware, they can persist even after reinstalling the operating system, experts have warned.

Partial fix

According to Binarly, the company found a total of six vulnerabilities - three in July 2021 and three more in April 2022, all of which are System Management Module (SMM) memory corruption vulnerabilities. 

The flaws are tracked as CVE-2022-23930 (8.2), CVE-2022-31644 (7.5), CVE-2022-31645 (8.2), CVE-2022-31646 (8.2), CVE-2022-31640 (7.5), and CVE-2022-31641 (7.5).

Since the disclosure, HP has published three security advisories for three of the flaws, and pushed three BIOS updates, fixing the flaws on some of the models. 

However, the company has failed to release any patches for the devices in Elite, Zbook, or ProBook series, as well as for ProDesk, EliteDesk, and ProOne series. HP workstations, including Z1, Z2, Z4, and Zcentral, are also still vulnerable to the flaws. 

Even though Binarly warned of the potential risk associated with not having patches for these flaws, the company did stress the difficulties that come with fixing vulnerabilities for a single vendor. 

“As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors,” it said in its report.

TechRadar Pro has reached out to HP for a comment on when it plans on releasing fixes for the affected devices,  and will update the article if we receive a reply.

Via: BleepingComputer

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

TOPICS