On Tuesday, cybersecurity researchers discovered 16 new high-severity flaws in multiple implementations of the Unified Extensible Firmware Interface (UEFI) firmware that affect several HP corporate devices. The flaws, having CVSS ratings ranging from 7.5 to 8.8, were discovered in HP’s UEFI firmware. HP laptops, desktops, point-of-sale (PoS) systems, and edge computing nodes are among the devices vulnerable.
“By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation,” firmware security company Binarly stated in a report.
The most serious weaknesses are a variety of memory corruption vulnerabilities in the firmware’s System Management Mode (SMM), which allow arbitrary code to be executed with the highest privileges. The flaws were fixed as part of a series of security updates released in February and March 2022, after a coordinated disclosure procedure with HP and the CERT Coordination Center (CERT/CC).
The researchers said that most problems are repeated failures, some are caused by the codebase’s complexity or outdated components that receive less security attention but are still extensively employed in the field. Binarly announced the discovery of 23 high-impact vulnerabilities in Insyde Software’s InsydeH2O UEFI firmware a little over a month ago, which may be used to implant persistent malware capable of circumventing security solutions.
The new findings are especially relevant since firmware has become an ever-expanding attack surface for threat actors to undertake highly-targeted catastrophic strikes. Since 2018, at least five distinct firmware malware variants have been discovered in the wild. According to a study released last month by the US Commerce and Homeland Security departments, the firmware layer is often neglected. Still, it is a single point of failure in devices and one of the stealthiest ways for an attacker to compromise devices at scale.