430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Some firmware bugs in HP business devices are yet to be fixed

Six high-severity firmware bugs affecting several HP Enterprise devices are yet to be patched, some of them since July 2021. The Binarly security research team reported several HP Enterprise devices are affected by six high-severity firmware vulnerabilities that are yet to be patched, and some of them have been disclosed more than a year ago. […]

HP Poly VoIP phones

Six high-severity firmware bugs affecting several HP Enterprise devices are yet to be patched, some of them since July 2021.

The Binarly security research team reported several HP Enterprise devices are affected by six high-severity firmware vulnerabilities that are yet to be patched, and some of them have been disclosed more than a year ago.

The researchers disclosed technical details of some of the vulnerabilities at the Black Hat 2022 conference.

The bugs affect HP EliteBook devices and multiple additional HP product lines, the experts reported that the issues are arbitrary code execution vulnerabilities related to System Management Mode (SMM) of the of the Unified Extensible Firmware Interface (UEFI).

The SMM is an operating mode of x86 CPUs in which all normal execution, including the operating system, is suspended.

When a code is sent to the SMM, the operating system is suspended and a portion of the UEFI/BIOS firmware executes various commands with elevated privileges and with access to all the data and hardware.

Below is the list of the vulnerabilities:

VulnerabilitiesBRLY IDCVE IDCVSS score
SMM Memory Corruption
(Arbitrary Code Execution)
BRLY-2022-010
BRLY-2022-011
BRLY-2022-012
BRLY-2022-013
BRLY-2021-046
BRLY-2021-047
CVE-2022-23930
CVE-2022-31644
CVE-2022-31645
CVE-2022-31646
CVE-2022-31640
CVE-2022-31641
8.2 High
7.5 High
8.2 High
8.2 High
7.5 High
7.5 High

Three vulnerabilities have been reported to HP in July 2021, while other three issues were disclosed in April 2022.

Vulnerabilities in the SMM can be exploited to to bypass the Secure Boot, threat actors can bypass this security feature to create stealth rootkits.

In February 2022, HP addressed the CVE-2022-23930 with the release of HP PC BIOS Security Updates.

The tech giant addressed CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 in August 2022, but several business notebooks and desktops, and workstations have yet to receive updates.

The remaining issues, tracked as CVE-2022-31640 and CVE-2022-31641, were addressed on September 2022, but many workstations are yet to be patched.

“Based on the Binarly’s telemetry data, we are experiencing the same effect. In terms of impact at scale, firmware supply chain problems are one of the major challenges.” concludes Binarly speaking about firmware vulnerabilities. “Approximately 20% of firmware updates contain at least two or three known vulnerabilities (previously disclosed), according to Binarly Platform data (based on enterprise-grade vendors study).”

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″][adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, firmware bugs)

[adrotate banner=”5″]

[adrotate banner=”13″]