HP has released a series of updates aimed at addressing a number of potentially serious security vulnerabilities affecting many of its computing devices.
First detected in November 2021, the malware issues affect some of HP’s most popular brands, including EliteBook laptops, EliteDesk desktops and its Z1 and Z2 workstations.
The flaws, tracked as CVE-2021-3808 and CVE-2021-3809 and featuring a high severity rating, could have allowed hackers to access victim devices and execute code with kernel privileges, potentially allowing to execute any command on a kernel. level.
HP security issues
In a security advisory posted on its website, HP noted that “Potential security vulnerabilities have been identified in the BIOS (UEFI firmware) for certain HP PC products, which could allow the execution of arbitrary code. HP releases firmware updates to mitigate these potential vulnerabilities.” .
The company didn’t go into specific technical details regarding the issues, but urges customers to download and update immediately.
However, Nicholas Starke, the researcher who first discovered the flaws, described the potential effects the issues could have had in a bit more detail.
“The vulnerability could allow an attacker running with kernel-level privileges (CPL==0) to elevate privileges to System Management Mode (SMM). Running in SMM gives an attacker full privileges on the host to carry out attacks,” Starke noted in a blog post.
He explained how a vulnerable SMI handler can be triggered through the Windows kernel driver, with attackers able to trigger remote code execution after finding the memory address of the “LocateProtocol” function and overwriting it with malicious code.
They could then install malware which would be unremovable even by using anti-virus platforms or OS reinstallation.
Some HP models are able to withstand such attacks, Starke added, with the company’s HP Sure Start software capable of detecting such interference, shutting down the host and prompting users to approve a system boot. .
The news comes shortly after HP released patches for four dangerous vulnerabilities affecting hundreds of its printers that could lead to remote code execution, data theft or denial of service.