HP has dispatched (Opens in a new window) firmware updates for more than 200 models of laptops, workstations, point-of-sale PCs, and thin clients to address two vulnerabilities in their UEFI firmware.
The company claims the susceptibilities, CVE-2021-3808 and CVE-2021-3809, “might permit unpredictable code execution” on systems running former versions of the UEFI firmware. Both susceptibilities have been rated High severity and acquired CVSS(Opens in a new window) scores of about 8.8 out of 10.
HP claims the error affects members of many of the product lines across many gadget categories, a full list of laptops is accessible through the security recommendatory. (BleepingComputer notes (Opens in a new window) that not all of the afflicted gadgets have got a patch, so it’s beneficial keeping an eye on that recommendatory.)
HP to launch its first 17-inch foldable OLED laptop
The organization has not offered any kind of additional information about these susceptibilities to the advisory, and at the time duration of writing nor does the National Vulnerability Database. However, the security researcher who found the flaw, Nicholas Starke (Opens in a new window), has suggested some more information on their blogging site.
“This susceptibility could permit an attacker implementing with kernel-level privileges (CPL == 0) to expand privileges to System Management Mode (SMM),” Starke claims. “Implementing in SMM provides an attacker complete privileges over the presenter to further process out attacks.”
HP had not immediately answered a request for more details about these susceptibilities or an explanation for why it had not credited Starke with unveiling the errors in the security advisory.
The large list of gadgets afflicted by the susceptibilities are business notebook PCs for instance the Elite Dragonfly and many of the EliteBooks and ProBooks; business desktop PCs, including the EliteDesk and EliteOne; retail point-of-sale PCs for example the Engage; desktop workstation PCs [Z1, Z2 lines]; and four narrow client Personal computers.