Security News > 2022 > March > HP patches 16 UEFI firmware bugs allowing stealthy malware infections
HP has disclosed 16 high-impact UEFI firmware vulnerabilities that could allow threat actors to infect devices with malware that gain high privileges and remain undetectable by installed security software.
SSM. CVE-2021-23924: heap buffer overflow leading to arbitrary code execution.
CVE-2021-23931: heap buffer overflow leading to arbitrary code execution.
CVE-2021-23934: memory corruption leading to arbitrary code execution(CVSS - 8.2). DXE. CVE-2021-39297: stack buffer overflow leading to arbitrary code execution.
CVE-2021-39299: stack buffer overflow leading to arbitrary code execution.
One of the flaws, CVE-2021-39298, was identified as an AMD reference code vulnerability, and as such, it doesn't affect only HP but numerous computer vendors who use the particular firmware driver.
News URL
Related Vulnerability
DATE | CVE | VULNERABILITY TITLE | RISK |
---|---|---|---|
2022-02-16 | CVE-2021-39299 | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution. | 8.8 |
2022-02-16 | CVE-2021-39298 | Unspecified vulnerability in HP products A potential vulnerability in AMD System Management Mode (SMM) interrupt handler may allow an attacker with high privileges to access the SMM resulting in arbitrary code execution which could be used by malicious actors to bypass security mechanisms provided in the UEFI firmware. | 8.8 |
2022-02-16 | CVE-2021-39297 | Unspecified vulnerability in HP products Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution. | 8.8 |
2021-04-01 | CVE-2021-23924 | Information Exposure Through Log Files vulnerability in Devolutions Server An issue was discovered in Devolutions Server before 2020.3. | 7.5 |
2021-01-12 | CVE-2021-23931 | Cross-site Scripting vulnerability in Open-Xchange Appsuite OX App Suite through 7.10.4 allows XSS via an inline binary file. | 6.1 |
2021-01-12 | CVE-2021-23934 | Cross-site Scripting vulnerability in Open-Xchange Appsuite OX App Suite through 7.10.4 allows XSS via a contact whose name contains JavaScript code. | 6.1 |