HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday.
CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs' Nicholas Starke and a researcher going by the online handle "yngweijw" with reporting the issues but did not disclose technical details on either of the flaws.
The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs.
“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory.
According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode.
The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling an attacker to determine the memory location of a specific function and overwrite it in physical memory to refer to attacker code.
“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks,” Starke added.
While the majority of the vulnerable devices have already received firmware updates, a handful has yet to receive them. Users can check HP's advisory for more information on the impact and upgrades.
HP also released warnings this week that outline the updates Intel have released to address several firmware and software vulnerabilities affecting its CPUs and chipsets, as well as HP products.