High-Severity BIOS Vulnerability Found In Multiple HP Product Models

HP have fixed a severe BIOS vulnerability affecting their laptops, desktops, and POS computer systems. Exploiting the bug could allow an adversary to overwrite device firmware. Given the seriousness of the flaw, all HP users must update their devices to receive the patches.

HP BIOS Vulnerability

The security researcher Nicholas Starke has shared details about a major security flaw affecting HP products. The vulnerability existed in the HP BIOS across multiple laptops, desktops, and POS PC models.

As elaborated in his post, the researcher discovered the vulnerability in late 2021, after which he reported the matter to HP.

Specifically, he observed the bug with the System Management Interrupt Handler (SMI Handler) software. Describing the flaw, Starke stated in the post,

There is a software System Management Interrupt Handler (SMI Handler) registered with the SMI code 99 (0x63). This handler can be triggered from a kernel execution context such as a Windows Kernel Driver by executing the out instruction with the arguments 0xb2 and 0x63 (__outbyte(0xb2, 0x63))). This will cause the SMI handler to execute.

Such execution, according to Starke, would allow an adversary to gain elevated privileges by triggering the System Management Mode (SMM).

This vulnerability has received the ID number CVE-2021-3808 and a high-severity rating with a CVSS score of 8.8. In his post, the researcher has shared the technical details about the bug he found in the HP ProBook G4 650 model of laptops running firmware version 1.17.0.

Following the bug report, HP started working on developing a fix for the bug. Consequently, the tech giant issued a patch with firmware version 01.19.00, as the researcher confirmed.

Besides, as mentioned in HP’s advisory, the tech giant also fixed another high-severity bug, CVE-2021-3808, with the latest updates.

The advisory includes an exhaustive list of different HP Business Notebooks, desktops, Thin Client PCs, Workstation PCs, and Point-of-Sale PCs affected by this vulnerability. Users can go through the advisory to check if their respective device exists in the list. If found, users should rush to update their systems with the latest firmware patches.