Binarly Discovers 16 New, High-Impact Vulnerabilities in Firmware Affecting HP Enterprise Devices

Security vulnerabilities allow firmware implantation that survives operating system updates and bypasses UEFI Secure Boot, Intel Boot Guard, and virtualization-based security.

Pasadena, California – March 8, 2022 - Firmware security specialists Binarly announces the discovery and coordinated disclosure of 16 new high-severity vulnerabilities in various implementations of UEFI firmware affecting multiple HP enterprise devices including laptops, desktops, point-of-sale systems, and edge computing nodes.

These vulnerabilities (CVSS 7.5 - 8.8 high-severity rating) were found in HP UEFI firmware, and some of the issues affect AMD reference code (BRLY-2021-004 / CVE-2021-39298).

Using Binarly’s in-house code similarity technology on the whole firmware corpus, a detection triggered on a piece of firmware belonging to a Dell device (vulnerability originally found on HP devices), which led to the conclusion that the vulnerability exists in some piece of reference code. Additional investigation connects this code to AMD's firmware driver (AgesaSmmSaveMemoryConfig), which is widely spread across the entire computing ecosystem.

Binarly reported new findings to CERT/CC to simplify multi-vendor disclosures on all these vulnerabilities.

The company is constantly collaborating with HP and CERT/CC teams to understand the scope of the vulnerabilities and reduce the impact on enterprise infrastructure deployments globally.

In February this year, Binarly reported 23 critical firmware security flaws affecting the entire enterprise device ecosystem. (See full media coverage at SecurityWeek, and ZDNet).

The Binarly discoveries follow the publication of a new joint draft report issued by the leadership of the U.S. Department of Homeland Security (DHS) and Department of Commerce that identified firmware security as a major threat facing U.S. software supply chains.

“Securing the firmware layer is often overlooked, but it is a single point of failure in devices and is one of the stealthiest methods in which an attacker can compromise devices at scale,”

according to the U.S. government report.

“Attackers can subvert OS and hypervisor visibility and bypass most security systems, hide, and persist in networks and devices for extended periods of time while conducting attack operations, and inflict irrevocable damage,” the two U.S. agencies said.

Many device manufacturers and firmware development companies underestimate the impact of third-party risks from already known vulnerabilities. Binary Telemetry data shows that even known and fixed vulnerabilities for one vendor can still be not patched for months for other vendors.

“Security is always a top priority for HP, and we value the work that Binarly is doing and thank them for responsibly reporting to HP. Please follow our Security Bulletins for updates. We encourage our customers to always keep their systems up to date.”, said HP PSIRT.

The HP disclosure information is available at:

https://support.hp.com/us-en/document/ish_5661066-5661090-16

https://support.hp.com/us-en/document/ish_5817864-5817896-16

A breakdown of the vulnerabilities and their impact:

CVE ID BINARLY ID Description CVSS Score
CVE-2021-39297 BRLY-2021-003 DXE stack buffer overflow (arbitrary code execution) 7.7 High
CVE-2021-39298 BRLY-2021-004 SMM callout (privilege escalation) 8.8 High
CVE-2021-39299 BRLY-2021-005 DXE stack buffer overflow (arbitrary code execution) 8.2 High
CVE-2021-39300 BRLY-2021-006 DXE stack overflow vulnerability (arbitrary code execution) 8.2 High
CVE-2021-39301 BRLY-2021-007 DXE stack overflow (arbitrary code execution) 7.7 High
CVE-2022-23924 BRLY-2021-032 SMM heap buffer overflow (arbitrary code execution) 8.2 High
CVE-2022-23925 BRLY-2021-033 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23926 BRLY-2021-034 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23927 BRLY-2021-035 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23928 BRLY-2021-036 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23929 BRLY-2021-037 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23930 BRLY-2021-038 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23931 BRLY-2021-039 SMM memory corruption (arbitrary code execution) 8.2 High
CVE-2022-23932 BRLY-2021-040 SMM callout (privilege escalation) 8.2 High
CVE-2022-23933 BRLY-2021-041 SMM callout (privilege escalation) 8.2 High
CVE-2022-23934 BRLY-2021-042 SMM memory corruption (arbitrary code execution) 8.2 High

The variety of devices impacted range from laptops and desktops to retail point-of-sale systems. By exploiting the vulnerabilities disclosed, attackers can leverage them to perform privileged code execution in firmware, below the operating system, and potentially deliver persistent malicious code that survives operating system re-installations and allows the bypass of endpoint security solutions (EDR/AV), Secure Boot and Virtualization-Based Security isolation.

“Binarly believes that the lack of a knowledge base of common firmware exploitation techniques and primitives related to UEFI firmware makes these failures repeatable for the entire industry. We are working hard to fill this gap by providing comprehensive technical details in our advisories. This knowledge base is crucial for developing effective mitigations and defense technologies for device security.”,
said Alex Matrosov, Founder and CEO at Binarly.

Additional Information:

Read detailed discoveries descriptions in Binarly Vulnerability Advisories https://www.binarly.io/advisories

Read additional details in Binarly blog:

https://www.binarly.io/posts

About Binarly

Founded in 2021, Binarly brings decades of research experience identifying hardware and firmware security weaknesses and threats. Based in Pasadena, California, Binarly’s agentless, enterprise-class AI-powered firmware security platform helps protect from advanced threats below the operating system. The company’s technology solves firmware supply chain security problems by identifying vulnerabilities, malicious firmware modifications and providing firmware SBOM visibility without access to the source code. Binarly’s cloud-agnostic solutions give enterprise security teams actionable insights, and reduce the cost and time to respond to security incidents.

Media Contact

media@binarly.io

818.351.9637