A great way to protect your data and personal information from cybercriminals is to keep your devices up to date. Microsoft and Apple regularly push out updates that fix vulnerabilities, but it’s your responsibility to ensure your gadgets get those updates.
Some internal computer components run on firmware from the hardware manufacturer, such as the Wi-Fi adapter, Bluetooth connections or memory modules. So, if HP or another manufacturer detects a problem with one of their components, they issue a firmware update.
Many assume it happens as quickly as possible, but that isn’t always the case. Read on to see how HP let several vulnerabilities lapse, opening the door to cybercriminals.
Here’s the backstory
It seems that HP has a habit of leaving vulnerabilities unpatched or just not acting fast enough. For example, late last year, the company let users know of a dangerous vulnerability that can give hackers access to your machine by exploiting an Escalation of Privilege and Denial of Service flaw.
In July last year, security researchers at Binarly also notified HP of three vulnerabilities in its firmware and gave details on three more firmware vulnerabilities in April this year. However, according to the researchers, only a few flaws have been patched.
That still leaves thousands of users open to attack through System Management Module memory corruptions. The six flaws found are:
- CVE-2022-23930: Stack-based buffer overflow leading to arbitrary code execution.
- CVE-2022-31644: Out-of-bounds write on CommBuffer, allowing partial validation bypassing.
- CVE-2022-31645: Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler.
- CVE-2022-31646: Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution.
- CVE-2022-31640: Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications.
- CVE-2022-31641: Callout vulnerability in the SMI handler leading to arbitrary code execution.
The flaws can give hackers access to your work or business computer. They open the door to malware being installed on your machine. Then they can steal your information and company data.
What you can do about it
It might have taken HP several months, but it eventually released a patch for three vulnerabilities. Unfortunately, that only somewhat corrects the issue.
HP fixed the CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646 flaws in August this year but didn’t include fixes for all impacted machines. The list of vulnerable devices still includes many business notebooks and desktop PCs, retail point-of-sale systems, workstations and thin client PCs.
You can find a complete list of the affected machines on HP’s security advisory. If the Minimum Version and SoftPaq number say, “pending,” there isn’t a patch available yet.
If there isn’t a firmware update available for your HP machine, you must ensure that your anti-virus program is up to date. This will be the only protection you have until HP fixes the vulnerabilities. Also, keep checking HP for firmware updates. Once an update is available, install it ASAP.
This highlights the importance of having reliable antivirus protection on all your devices. We recommend our sponsor, TotalAV. Right now, get an annual plan with TotalAV for only $19 at ProtectWithKim.com. That’s over 85% off the regular price!