If you have an HP Laptop, Desktop or PoS PC? Then you'll want to make sure its BIOS is up to date. Recently, the company has released updates for over 200 device models that fix two highly-critical vulnerabilities in UEFI firmware.
As reported by Bleeping Computer, HP has issued an advisory on potential security vulnerabilities that could allow arbitrary code execution with kernel privileges, which would enable hackers to access a device BIOS and plant malware Which cannot be removed or reinstalled by traditional antivirus software. Operating System.
Both vulnerabilities, CVE-2021-3808 and CVE-2021-3809, have a CVSS 3.1 base score of 8.8.
HP has not disclosed any technical information about the vulnerabilities. That was left to security researcher Nicholas Starke, who discovered them but has yet to receive credit from HP despite being told he would.
I've been working on a vulnerability for six months and the advisory was just made public yesterday. I was not credited anywhere, despite being told by @HP that I would be credited. Here is my blog post with the technical details: https://t.co/RzmXbLeN5Z (PSR-2021-0177 is mine)
— nicholas starke (@nstarke) May 11, 2022
"An attacker executing with kernel-level privileges (CPL == 0) could use this vulnerability to escalate privileges to System Management Mode (SMM)," Starke wrote. "Executing in SMM grants an attacker full control over the host, allowing them to carry out additional attacks."
Starke added that some HP models have mitigations that must be bypassed for the vulnerabilities to work, such as the HP Sure Start system, which detects when the firmware runtime has been tampered with.
Business notebook PCs affected by the vulnerabilities include the Elite Dragonfly and several EliteBooks and ProBooks; business desktop PCs such as the EliteDesk and EliteOne; retail point-of-sale PCs such as the Engage; desktop workstation PCs (Z1, Z2 lines); and four thin client PCs.
The complete list of affected HP devices and SoftPaqs can be found here. The updates have not yet reached all of them.
------ END OF ARTICLE ------
EDITOR'S PICK
Also Read: Gemini XIII: Investment in Diversion Podcasts
Also Read: Snapdragon 8 Gen 2 specifications and manufacturers