- Binarly has released a report that shows some of the business-focused HP products have been vulnerable for more than one year.
- There were a total of six vulnerabilities that have been found in the devices; three of them were reported back in July 2021.
- There is only one vulnerability among those six that have received fixes on all of the vulnerable products.
Security vulnerabilities on services, software, or devices are unavoidable; there will be vulnerabilities on these products even if they are coded exceptionally carefully. What makes the difference between companies in this area is how they react to those issues. One of the biggest tech companies, HP, leaves serious vulnerabilities on its devices for more than one year.
Affecting many business products
- Business laptops: Elite, Zbook, ProBook
- Business desktop PCs: ProDesk, EliteDesk, ProOne
- Workstations: Z1, Z2, Z4, Zcentral
- Point of sale systems
The vulnerabilities on those devices could allow the execution of arbitrary code and their severity scores vary between 8.2 and 7.5:
- CVE-2022-23930 (CVSS 8.2): Stack-based buffer overflow, allowing arbitrary code execution.
- CVE-2022-31644 (CVSS 7.5): Out-of-bounds write, allowing partial validation bypassing.
- CVE-2022-31645 (CVSS 8.2): Out-of-bounds write, allowing memory corruption in SMM.
- CVE-2022-31646 (CVSS 8.2): Out-of-bounds write, allowing escalation of privilege and arbitrary code execution.
- CVE-2022-31640 (CVSS 7.5): Improper input validation, providing control of the CommBuffer data and allowing unrestricted modifications.
- CVE-2022-31641 (CVSS 7.5): Improper input validation, allowing arbitrary code execution.
Three of those vulnerabilities have been reported to HP in July 2021, and the remaining ones in April 2022. Those vulnerabilities all reside in the System Management Module (SMM) of the aforementioned devices.
HP provided a security advisory regarding those vulnerabilities and pushed BIOS updates for some of the affected devices. However, none of the vulnerabilities except CVE-2022-23930 have been fixed on all devices. The remaining five flaws still exist in some products.