HP Enterprises has been delaying the patches for the six known bugs that the Binarly Team discovered both this year and last year as reported by TechDator. These bugs may affect devices that are used in enterprise environments that may put them at risk if the company does not take action.

(Photo : Justin Sullivan/Getty Images)
PALO ALTO, CALIFORNIA - OCTOBER 04: The Hewlett Packard (HP) logo is displayed in front of the office complex on October 04, 2019 in Palo Alto, California. HP announced plans to cut 7,000 to 9,000 jobs in an effort to save about $1 billion by the end of fiscal 2022.

These may also lead to malware infections that will prolong even if the users have already reinstalled the operating systems. 'Long-time persistence' as described by the team.

Based on the report that Binarly highlighted, no security updates have been made for these models ever since they made these bugs public at Black Hat 2022. Resulting in its users being exposed to future attacks.

The team stated, "In all, Binarly helped to fix six high-severity vulnerabilities that not only affect these devices but were also found in multiple additional HP product lines." The researchers presented three bugs last July 2021 and added three more bugs in April this year.

All of the discoveries of Binarly were found in HP's System Management Modules that may lead to memory corruption problems and executing arbitrary code. SMM is one of the Unified Extensible Firmware Interfaces which supplies system-wide functions such as low-level hardware control and even power management. 

Also Read: HP Reveals New Devices Including Spectre X360 With Stylus Support, IPS Touchscreen, Rotating Hinge, and More

Firmware Bugs Details 

• CVE-2022-23930 or CWE-121: Stack-based Buffer Overflow

  • This bug will allow potential attackers to alter the controlled data buffer which will continue on the SMM execution of the arbitrary code as the CommBuffer lacks sanitization.

• CVE-2022-31644 or CWE-787: Out-of-bounds Write 

  • An attacker has the ability to bypass partial validation as the size of the buffer that has been used for validating is not utilized much and not checked briefly for it to become an expected value or range. 

• CVE-2022-31645 or CWE-787: Out-of-bounds Write 

  • Allows the possible attacker to partially bypass the applied validation and may lead to a memory corruption as the size of the buffer is not checked to be an expected value or range despite the pointer being validated.

• CVE-2022-31646 or CWE-787: Out-of-bounds Write 

  • An attacker has the privilege to elevate and execute arbitrary code based on direct memory manipulation.

• CVE-2022-31640 

  • Potential hackers will have full control over the CommBuffer data and might open the way to unrestricted modifications because of improper input validation.

• CVE-2022-31641 

  • Hackers might execute arbitrary code as the SMI handler shows vulnerability.

Affected Devices

As per the company's released statement, impacted models that may experience these bugs are some of the Business Notebook PCs that includes Elite, Zbook, and ProBook, Business Desktop PCs such as ProDes, EliteDesk, and Pro One, HP workstations like Z1, Z2, Z4, Zcentral, and some of the point sale systems. 

Patches Released by HP

Bleeping Computer reported that three security advisories were released and acknowledged by HP that addressed the issues regarding the vulnerabilities that the researchers have released. These are the CVE-2022-23930 that was fixed last March (excluding the thin client PCs), and the security updates that have been released in August for CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646. 

Related Article: [HACKER] New Thunderspy Bug: How To Check if Your PC Can Be Hacked; Tips on How to Avoid Getting Breached 

This article is owned by TechTimes

Written by Inno Flores