Discovered 16 new high-impact vulnerabilities in the firmware of HP Enterprise devices

Security vulnerabilities allow the firmware implant to survive OS updates and security. • by Alice Zaniolo • March 11, 2022

Security vulnerabilities allow the firmware implant to survive OS updates and bypass UEFI Secure Boot, Intel Boot Guard, and virtualization-based security. Pasadena, California. March 8, 2022. Binarly Firmware Security Specialists Announce Coordinated Discovery and Disclosure of 16 New High Severity Vulnerabilities in Various UEFI Firmware Implementations Affecting Multiple HP Enterprise Devices, Including Laptops, Desktops, POS Systems, and Edge Computing Nodes . These vulnerabilities (CVSS 7.5 - 8.8 high severity rating) are detected in HP UEFI firmware. Other related issues may affect the AMD reference code (BRLY-2021-004 / CVE-2021-39298). Using Binarly's internal code similarity technology on the entire firmware corpus, a detection is activated on a piece of the firmware itself. The firmware belonged to a Dell device (vulnerability originally found on HP devices). This led to the conclusion that the vulnerability exists in some reference piece of code. Further investigation links this code to AMD's firmware driver (AgesaSmmSaveMemoryConfig), which is widespread throughout the entire computing ecosystem. Binarly's Commitment Against Vulnerabilities The company works continuously with the HP and CERT / CC teams to understand the extent of vulnerabilities and reduce the impact on corporate infrastructure deployments globally. In February of this year, Binary reported 23 critical firmware security holes affecting the entire enterprise device ecosystem. Binarly's findings follow the publication of a new draft joint report. Binary believes that the lack of a knowledge base of common firmware exploitation techniques and UEFI firmware primitives makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing full technical details in our notices. This knowledge base is critical to the development of effective mitigation and defense technologies for device security said Alex Matrosov, founder and CEO of Binary.