Firmware flaws are dangerous because they can lead to malware infections that persist even between OS re-installations or allow long-term compromises that would not trigger standard security tools.
According to security outfit Binarly a month since they made some of the flaws public at Black Hat 2022, the vendor hasn’t released security updates for all impacted models, leaving many customers exposed.
The researchers reported three bugs to HP in July 2021 and the other three in April 2022, so the vendor had between four months and more than a full year to push updates for all affected devices.
Binarly found mostly System Management Module memory corruption problems leading to arbitrary code execution. SMM is part of the UEFI firmware that provides system-wide functions like low-level hardware control and power management.
Flaws impacting the SMM can invalidate security features like Secure Boot, create invisible backdoors (for the victim), and enable intruders to install persistent malware implants. The six flaws Binarly says HP has left unpatched for months are:
CVE-2022-23930 – Stack-based buffer overflow leading to arbitrary code execution. (CVSS v3 score: 8.2 “High”)
CVE-2022-31644 – Out-of-bounds write on CommBuffer, allowing partial validation bypassing. (CVSS v3 score: 7.5 “High”)
CVE-2022-31645 – Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler. (CVSS v3 score: 8.2 “High”)
CVE-2022-31646 – Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution. (CVSS v3 score: 8.2 “High”)
CVE-2022-31640 – Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications. (CVSS v3 score: 7.5 “High”)
CVE-2022-31641 – Callout vulnerability in the SMI handler leading to arbitrary code execution. (CVSS v3 score: 7.5 “High”)
Triggering memory corruption in SMM (CVE-2022-31645)
Triggering memory corruption in SMM (CVE-2022-31645) (Binarly)
Security flaws fix status
HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.
Many business notebook PCs (Elite, Zbook, ProBook), business desktop PCs (ProDesk, EliteDesk, ProOne), point of sale systems, and also HP workstations (Z1, Z2, Z4, Zcentral) have not received patches yet.
CVE-2022-31640 and CVE-2022-31641 received fixes throughout August, with the last update landing on September 7, 2022, but many HP workstations remain exposed without an official fix (check advisory for details).
 
				