Security News > 2022 > March > HP patches 16 UEFI firmware bugs allowing stealthy malware infections

HP patches 16 UEFI firmware bugs allowing stealthy malware infections
2022-03-08 18:00

HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gain high privileges and remain undetectable by installed security software.

SSM. CVE-2021-23924: heap buffer overflow leading to arbitrary code execution.

CVE-2021-23931: heap buffer overflow leading to arbitrary code execution.

CVE-2021-23934: memory corruption leading to arbitrary code execution(CVSS - 8.2). DXE. CVE-2021-39297: stack buffer overflow leading to arbitrary code execution.

CVE-2021-39299: stack buffer overflow leading to arbitrary code execution.

One of the flaws, CVE-2021-39298, was identified as an AMD reference code vulnerability, and as such, it doesn't affect only HP but numerous computer vendors who use the particular firmware driver.


News URL

https://www.bleepingcomputer.com/news/security/hp-patches-16-uefi-firmware-bugs-allowing-stealthy-malware-infections/

Related Vulnerability

DATE CVE VULNERABILITY TITLE RISK
2022-02-16 CVE-2021-39299 Unspecified vulnerability in HP products
Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.
local
low complexity
hp
8.8
2022-02-16 CVE-2021-39298 Unspecified vulnerability in HP products
A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware.
local
low complexity
hp
8.8
2022-02-16 CVE-2021-39297 Unspecified vulnerability in HP products
Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution.
local
low complexity
hp
8.8
2021-04-01 CVE-2021-23924 Information Exposure Through Log Files vulnerability in Devolutions Server
An issue was discovered in Devolutions Server before 2020.3.
network
low complexity
devolutions CWE-532
7.5
2021-01-12 CVE-2021-23931 Cross-site Scripting vulnerability in Open-Xchange Appsuite
OX App Suite through 7.10.4 allows XSS via an inline binary file.
network
low complexity
open-xchange CWE-79
6.1
2021-01-12 CVE-2021-23934 Cross-site Scripting vulnerability in Open-Xchange Appsuite
OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code.
network
low complexity
open-xchange CWE-79
6.1

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
HP 6795 19 248 488 234 989