HP Enterprises is yet to release patches for six bugs discovered by Binarly. These bugs can affect devices used at enterprise levels. The systems are at risk if HP does not take any action.
Even when the users reinstall the operating system, the risk of these malware infections remains present. Binarly said the bugs may persist for a long. It had made public announcements about these bugs during Black Hat 2022. However, HP is yet to issue any security updates to fix these bugs. Affected HP devices remain vulnerable to malware attacks.
According to Binarly, it informed about these six vulnerabilities for some major HP devices as well as other HP products. Its team found three bugs in July 2021 while the other three were found in April 2022. These discoveries were made in the System Management Modules of HP devices. The bugs can cause problems of memory corruption. They can execute arbitrary codes.
The six firmware bugs include:
CVE-2022-23930 – The attacker can change the data buffer.
CVE-2022-31644 – The attacker can bypass validation.
CVE-2022-31645 – The attacker can bypass the validation, leading to corrupt memory.
CVE-2022-31646 – Hackers can inject arbitrary codes manipulating memory.
CVE-2022-31640 – Hackers can get full control over CommBuffer data and modify it without restriction.
CVE-2022-31641 – Hackers can execute arbitrary codes.
HP’s affected devices include Business Notebook systems, including Zbook, ProBook, and Elite. The affected business desktop computers include EliteDesk, Pro One, and ProDes. HP workstations include Zcentral, Z1, Z2, Z4, and some PoS (point of sale) systems.
Another report says HP released free security reports to advise the affected device owners. It fixed CVE-2022-23930 last March and released security updates in August for three bugs – CVE-2022-31646, CVE-2022-31645 and CVE-2022-31644.