In temporary: Do you personal an HP laptop computer, desktop, or PoS PC? Then you may need to guarantee its BIOS is updated. The firm has simply launched updates for greater than 200 gadget fashions that repair two high-severity vulnerabilities within the UEFI Firmware.
As reported by Bleeping Computer, HP has issued an advisory over potential safety vulnerabilities that might enable arbitrary code execution with Kernel privileges, which might allow hackers to entry to a tool’s BIOS and plant malware that may’t be eliminated by conventional antivirus software program or reinstalling the working system.
Both the vulnerabilities—CVE-2021-3808 and CVE-2021-3809—have a high-severity CVSS 3.1 base rating of 8.8.
HP hasn’t revealed any technical particulars concerning the vulnerabilities. That was left to safety researcher Nicholas Starke, who found them however has not been credited by HP regardless of being instructed they might be.
I’ve been engaged on a vulnerability for six months and the advisory was simply made public yesterday. I used to be not credited wherever, regardless of being instructed by @HP that I might be credited. Here is my weblog put up with the technical particulars: (PSR-2021-0177 is mine)
— nicholas starke (@nstarke) May 11, 2022
“This vulnerability may enable an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM),” Starke wrote. “Executing in SMM provides an attacker full privileges over the host to additional perform assaults.”
Starke added that there are mitigations in some HP fashions that will should be bypassed for the vulnerabilities to work, together with HP Sure Start system, which detects when the firmware runtime has been tampered with.
The intensive record of units affected by the vulnerabilities consists of enterprise pocket book PCs such because the Elite Dragonfly and several other EliteBooks and ProBooks; enterprise desktop PCs, together with the EliteDesk and EliteOne; retail point-of-sale PCs just like the Engage; desktop workstation PCs (Z1, Z2 strains); and 4 skinny shopper PCs.
You can see the whole record of affected HP units and the corresponding SoftPaqs right here. Not all of them have obtained the updates but.