HP fixes bug letting attackers overwrite firmware in over 200 models

HP has launched BIOS updates these days to resolve two large-severity vulnerabilities impacting a vast assortment of Pc and notebook solutions, which enable code to run with Kernel privileges.

Kernel-amount privileges are the maximum legal rights in Windows, enabling threat actors to execute any command at the Kernel stage, which includes manipulating motorists and accessing the BIOS.

The flaws are tracked as CVE-2021-3808 and CVE-2021-3809, and each have a CVSS 3.1 foundation score of 8.8, giving them a higher severity ranking. At this time, HP has furnished no technical particulars about these flaws.

“Potential protection vulnerabilities have been identified in the BIOS (UEFI Firmware) for sure HP Computer solutions, which might permit arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” reads the short advisory.

The listing of afflicted goods consists of business notebooks like Zbook Studio, ZHAN Pro, EliteBook, ProBook, and Elite Dragonfly, enterprise desktop PCs like the EliteDesk and ProDesk, retail PoS computer systems like the Have interaction, workstations like the Z1 and Z2, and thin client PCs.

For a total record of all the impacted versions and the corresponding SoftPaqs to use in each situation, check out the stability advisory web site and appear for your product. Notice that not all of the outlined products have obtained a fixing patch nonetheless.

Researcher discloses additional

Nicholas Starke, the researcher who identified these flaws in November 2021, and noted them to HP, explains the problem in higher depth in a independent blog site post.

“This vulnerability could allow an attacker executing with kernel-amount privileges (CPL == ) to escalate privileges to Procedure Administration Mode (SMM). Executing in SMM presents an attacker whole privileges around the host to even more carry out assaults.” points out a report by Starke.

The problem appears to be that an SMI handler can be brought on from the OS environment, for example, by the Home windows kernel driver.

The vulnerable SMI handler
The susceptible SMI handler (StarkeBlog)

An attacker requirements to locate the memory deal with of the “LocateProtocol” purpose and overwrite it with malicious code. Ultimately, the attacker can bring about code execution by instructing the SMI handler to execute.

It’s significant to underline that to exploit the vulnerability, an attacker would want to have root/Program amount privileges on the focus on system, and execute code in System Management Mode (SMM).

The best objective of these types of an assault would be to overwrite the UEFI Implementation (BIOS) of the machine with attacker controlled BIOS photographs. This signifies an attacker could plant persistent malware that are unable to be eliminated by antivirus equipment, and not even with OS reinstalls.

At last, it really is also critical to emphasize that some HP computer styles have mitigations that the attacker would require to bypass in get for the exploit to perform, like the HP Confident Begin procedure for illustration.

The researcher points out that HP Guaranteed Start can detect tampering of this sort and shut down the host upon the memory corruption act. Then, at initially startup, a warning will be shown to the person together with a prompt to approve the procedure boot.

HP’s most current fixes come only two months just after the computer maker plugged 16 UEFI firmware bugs and a few months after addressing a distinctive established of BIOS flaws.

As this kind of, if you haven’t utilized the security updates yet, make absolutely sure to take a backup of your information on a independent process and do so now.