No patches yet for months-old firmware bugs in HP enterprise devices

HP has left six firmware security flaws in some of its enterprise notebook devices unpatched even though the vulnerabilities have been publicly disclosed months ago, according to The Hacker News. HP EliteBook devices were affected by the high-severity bugs, which stem from a firmware System Management Mode-based memory corruption, and could be exploited to prompt arbitrary code execution with the highest privileges, reported Binarly researchers. HP was informed about the stack-based buffer overflow bug, tracked as CVE-2022-23930, and the improper input validation flaws, tracked as CVE-2022-31640 and CVE-2022-31641, in July 2021, while the out-of-bounds write vulnerabilities, tracked as CVE-2022-31644, CVE-2022-31645, and CVE-2022-31646, were reported in April, but HP has only issued mitigations in March and August. "In many cases, firmware is a single point of failure between all the layers of the supply chain and the endpoint customer device... As a result of the complexity of the firmware supply chain, there are gaps that are difficult to close on the manufacturing end since it involves issues beyond the control of the device vendors," said Binarly.