hp-support-head-portlet

Actions
Loading...
HP Customer Support - Knowledge Base

hp-contact-secondary-navigation-portlet

Actions
Loading...

hp-share-print-widget-portlet

Actions
Loading...
  • Information
    Need Windows 11 help?

    Check the information on compatibility, upgrade, and available fixes from HP and Microsoft. Windows 11 Support Center

  • Feedback

hp-concentra-wrapper-portlet

Actions
Loading...

HP UEFI Firmware February 2022 Security Updates

Potential vulnerabilities have been identified in UEFI firmware (BIOS) for some PC products which may allow escalation of privilege and arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.

Severity

High

HP Reference

HPSBHF03765 Rev. 7

Release date

February 2, 2022

Last updated

December 1, 2022

Category

PC

Potential Security Impact

Escalation of Privilege, Arbitrary Code Execution

Scroll to Resolution

Receive updates on this bulletin

Relevant Common Vulnerabilities and Exposures (CVE) List

Reported by: BINARLY efiXplorer team

List of CVE IDs

CVE ID

Base Score

Base Vector

Vendor ID

CVE-2021-39298

8.8

CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2021-39297

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2021-39299

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2021-39300

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

CVE-2021-39301

7.5

CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H

HP

Learn more about CVSS 3.1 base metrics, which range from 0 to 10.

PSR: PSR-2021-0112

Background

  • On February 4, 2022, BINARLY published five (5) vulnerabilities in HP UEFI Firmware for a presentation at Offensive Security Conference Berlin 2022 (OffensiveCon Berlin 2022). These vulnerabilities were published as advisories BRLY-2021-003, BRLY-2021-004, BRLY-2021-005, BRLY-2021-006, and BRLY-2021-007 on BINARLY’s Advisories (in English) webpage.

    On February 4, 2022, HP released this security bulletin for the five vulnerabilities listed above as part of a coordinated disclosure with BINARLY for the DefensiveCon presentation.

  • On March 8, 2022, BINARLY published an additional eleven (11) vulnerabilities in HP UEFI Firmware on their Advisories (in English) webpage. These vulnerabilities published as advisories BRLY-2021-032, BRLY-2021-033, BRLY-2021-034, BRLY-2021-035, BRLY-2021-036, BRLY-2021-037, BRLY-2021-038, BRLY-2021-039, BRLY-2021-040, BRLY-2021-041, and BRLY-2021-042.

    On March 8, 2022, HP released security bulletin HP PC BIOS February 2022 Security Updates for 11 Vulnerabilities for the additional 11 vulnerabilities.

  • Additionally on March 8, BINARLY released a blog identifying the combined advisories (the 5 in this bulletin and the 11 new advisories) into a single report of 16 high impact vulnerabilities discovered in HP devices (in English).

    HP is addressing all sixteen (16) of the vulnerabilities identified in BINARLY’s March 8, 2022 blog report between this security bulletin and in the newer security bulletin HP PC BIOS February 2022 Security Updates for 11 Vulnerabilities issued on March 8.

  • On May 11, 2022, BINARLY presented new vulnerabilities in HP UEFI Firmware in a presentation at Black Hat® Asia 2022. These vulnerabilities were published as BRLY-2021-050, BRLY-2021-051, BRLY-2021-053 on BINARLY’s Advisories (in English) webpage.

    BRLY-2021-053 is covered in this security bulletin, mitigated as a matter of updates for CVE-2021-39299 and CVE-2021-39300.

    BRLY-2021-050 and BRLY-2021-051 are covered by CVE-2022-23954 and CVE-2022-23955 (respectively) in the HP security bulletin entitled HP PC BIOS February 2022 Security Update.

We would like to thank BINARLY for independently reporting these issues.

Note:

Mitigation for these five vulnerabilities might already be available for products identified in this security bulletin. When available, BIOS update versions identified in the newer security bulletin HP PC BIOS February 2022 Security Updates for 11 Vulnerabilities will contain cumulative mitigation for all sixteen vulnerabilities and will supersede versions identified in this security bulletin.

Resolution

HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerabilities. See the affected platforms listed below.

Newer versions may become available and the minimum versions listed below may become obsolete.  If a SoftPaq Link becomes invalid, check the HP Customer Support - Software and Driver Downloads site to obtain the latest update for your product model.

HP recommends keeping your system up to date with the latest firmware and software.

Note:

This bulletin may be updated when new information and/or SoftPaqs are available. Sign up for HP Subscriptions to be notified and receive:

  • Product support eAlerts

  • Driver updates

  • Security bulletin updates

Softpaqs and affected products

Find the SoftPaqs that resolve the vulnerabilities of your system.

SoftPaq Status

A status is provided if no SoftPaq is listed for a particular product.

  • Pending: SoftPaq is in progress.

  • Under investigation: System under investigation for impact, or the SoftPaq is under investigation for feasibility/availability.

  • Not available: SoftPaq not available due to technical or logistical constraints.

  • Check Support Page: The listed SoftPaq has been removed from the download site. SoftPaqs with newer versions may be available on the HP Customer Support - Software and Driver Downloads site.