HP UEFI Firmware Bugs Addressed

Researchers discovered a dozen of potentially serious vulnerabilities affecting UEFI firmware present on devices from HP and possibly other vendors.

A total of 16 CVE identifiers have been assigned to  the vulnerabilities with severity ratings high, which have been described as stack overflow, heap overflow, and memory corruption bugs affecting the UEFI Runtime Driver eXecution Environment (DXE) and System Management Mode (SMM) components.

The flaws affect a wide range of enterprise products made by HP, including desktop, laptop, point-of-sale, and edge computing devices.

Exploitation can allow an attacker with privileged user permissions to execute arbitrary code in the firmware, which can be useful for delivering persistent malware and bypassing endpoint security products, Secure Boot, and virtualization-based security.

HP also said that exploitation could lead to denial of service (DoS) and information disclosure.

One of the vulnerabilities affecting HP systems has also been found to impact Dell devices, and a closer analysis revealed that the flaw was present in a firmware driver provided by AMD. This indicates that the issue could affect the devices of all manufacturers using the problematic AMD code.

HP has published two advisories to inform customers about these vulnerabilities. HP addressed the flaws with the release of HP UEFI Firmware February 2022 security updates issued in February.