HP has fixed two high-severity BIOS vulnerabilities in many of its PC and notebook products. The vulnerabilities, tracked as CVE-2021-3808 and CVE-2021-3809, could allow threat actors to run code with kernel privileges. This type of attack can be described as one of the most dangerous threats for Windows, as it enables hackers to execute any command at the kernel level.
According to HP’s official advisory, “potential security vulnerabilities have been identified in the BIOS, or UEFI (Unified Extensible Firmware Interface) Firmware, for certain HP PC products, which might allow arbitrary code execution.”
What HP products are affected by CVE-2021-3808 and CVE-2021-3809?
Business notebooks such as Zbook Studio, ZHAN Pro, ProBook, and EliteDragonfly as are affected, as well as business desktop computers such as EliteDesk and ProDesk. Retail PoS machines, such as Engage are also prone to the issues, as well as workstations including Z1 and Z2. The full list of affected devices is available in the official advisory.
It is noteworthy that the vulnerabilities were discovered in November 2021 by security researcher Nicholas Starke. In his own technical write-up, he said that “this vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks.”
“In the HP ProBook G4 650 model of laptops running firmware version 1.17.0, there exists an SMI handler that calls out from SMM,” Sparke added.
How Can Attackers Exploit the Vulnerabilities?
To exploit the weakness, threat actors should locate the memory address of the LocateProtocol function and then overwrite it with malicious code. This would allow them to trigger code execution by telling the SMI handler to execute. To successfully leverage the flaw, threat actors need to have root/SYSTEM level privileges and should execute code in System Management Mode (SMM).
The purpose of the attack would be to overwrite the UEFI Implementation (BIOS) of the targeted device with BIOS images controlled by threat actors. This could allow them to drop persistent malware on affected devices that can’t be removed in any “classical” way (i.e. by anti-malware tools or reinstalling of the OS).
Earlier this year, in February, at least 23 vulnerabilities were discovered in various implementations of UEFI firmware implemented by multiple vendors, such as HP, Lenovo, Juniper Networks, and Fujitsu. The flaws were located in Insyde Software’s InsydeH2O UEFI firmware, with most of the flaws stemming from the SMM mode (system management).
Did you know?
Unified Extensible Firmware Interface (UEFI) is a technology that connects a computer’s firmware to its operating system. The purpose of UEFI is to eventually replace the legacy BIOS. The technology is installed during manufacturing. It is also the first program running when a computer is started.