"HP Fixes Bug Letting Attackers Overwrite Firmware in Over 200 Models"

HP has released BIOS updates to fix two high-severity vulnerabilities impacting various PC and notebook products. The exploitation of these vulnerabilities enables code to be run with kernel privileges, which are the highest rights in Windows, thus allowing threat actors to execute any command at the kernel level. They can manipulate drivers and access the BIOS. The flaws, tracked as CVE-2021-3808 and CVE-2021-3809, were both given a CVSS 3.1 base score of 8.8. Products impacted by the high-severity security flaws include business notebooks, business desktop PCs, retail PoS computers, and workstations such as Zbook Studio, ZHAN Pro, EliteBook, ProBook, Elite Dragonfly, EliteDesk, Engage, and more. According to Nicholas Starke, the researcher who discovered and reported the flaws, their exploitation could allow an attacker executing with kernel-level privileges to escalate privileges to System Management Mode (SMM). Starke explains that executing in SMM provides full privileges over the host to the attacker to further perform malicious activities. The problem seems to stem from the SMI handler being able to be triggered from the OS environment, for instance, via the Windows kernel driver. An attacker would need to find the memory address of the “LocateProtocol” function and overwrite it with malicious code. The attacker can then trigger code execution by instructing the SMI handler to execute. The goal of this type of attack would be to overwrite the UEFI Implementation (BIOS) of the machine with attacker-controlled BIOS images so the attacker could plant persistent malware. This malware would not be able to be removed using antivirus tools or an OS reinstall. This article continues to discuss the potential exploitation and impact of the two high-severity bugs recently fixed by HP.

Bleeping Computer reports "HP Fixes Bug Letting Attackers Overwrite Firmware in Over 200 Models"