Researchers from security firm Binarly warned of unpatched vulnerabilities in HP firmware. Some of the vulnerabilities were reported to HP months ago. Affected hardware remains highly vulnerable.

Binarly develops an AI-based security platform. The company’s researchers recently warned of several lingering, critical vulnerabilities in HP’s firmware. The manufacturer was informed of the vulnerabilities quite some time ago, but the issues appear to remain unresolved. Hackers can launch attacks, capture data and hijack affected systems with relative ease.

Six vulnerabilities

The warning concerns six vulnerabilities reported by Binarly in 2021 and 2022: CVE-2022-23930, CVE-2022-31644, CVE-2022-31645, CVE-2022-31646, CVE-2022-31640 and CVE-2022-31641.

These vulnerabilities all relate to the execution of arbitrary code in relation to System Management Mode (SMM). SMM is part of the firmware that comes with devices like PCs and laptops. HP’s point-of-sale systems and workstations are affected as well.

The patch status for vulnerabilities CVE-2022-23930, CVE-2022-31644, CVE-2022-31645 and CVE-2022-31646 lags on ‘pending’. Vulnerabilities CVE-2022-31640 and CVE-2022-31641 remain unpatched for some workstation models and thin client PCs.

Free review tool

The researchers urge HP customers to carefully scan their systems for vulnerabilities. Binarly developed an open-source tool for this purpose. Binarly FwHunt scans UEFI firmware images for the presence of the vulnerabilities in question.

In response, HP says it’s aware of the unpatched issues. The firm claims it takes Binarly’s warning to heart, but did not provide a deadline for the patches’ release.

Tip: ‘Software vendors fix security bugs in 52 days on average’