Security News > 2022 > March > New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices

New 16 High-Severity UEFI Firmware Flaws Discovered in Millions of HP Devices
2022-03-09 03:34

Cybersecurity researchers on Tuesday disclosed 16 new high-severity vulnerabilities in various implementations of Unified Extensible Firmware Interface firmware impacting multiple HP enterprise devices.

The shortcomings, which have CVSS scores ranging from 7.5 to 8.8, have been uncovered in HP's UEFI firmware.

The most severe of the flaws concern a number of memory corruption vulnerabilities in the System Management Mode of the firmware, thereby enabling the execution of arbitrary code with the highest privileges.

The disclosure arrives a little over a month after Binarly publicized the discovery of 23 high-impact vulnerabilities in Insyde Software's InsydeH2O UEFI firmware that could be weaponized to deploy persistent malware that's capable of evading security systems.

The latest findings are also significant in light of the fact that firmware has emerged as an ever-expanding attack surface for threat actors to launch highly-targeted devastating attacks.

"Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale," the U.S. Commerce and Homeland Security departments highlighted in a report published last month.


News URL

https://thehackernews.com/2022/03/new-16-high-severity-uefi-firmware.html

Related vendor

VENDOR LAST 12M #/PRODUCTS LOW MEDIUM HIGH CRITICAL TOTAL VULNS
HP 6795 19 248 488 234 989