New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices

Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface (UEFI) firmware impacting multiple HP enterprise devices.

The shortcomings, which have CVSS scores ranging from 7.5 to 8.8, have been uncovered in HP’s UEFI firmware. The variety of devices affected includes HP’s laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes.

“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation,” American firmware security company Binarly said in a report shared with The Hacker News.

The most severe of the flaws concern a number of memory corruption vulnerabilities in the System Management Mode (SMM) of the firmware, thereby enabling the execution of arbitrary code with the highest privileges.

Following a coordinated disclosure process with HP and CERT Coordination Center (CERT/CC), the issues were addressed as part of a Read more:

Leave a Reply

Your email address will not be published. Required fields are marked *