Two HP BIOS Vulnerabilities Fixed
HP released a new security advisory covering 2 new vulnerabilities in over 200 of their models. CVE-2021-3808 and CVE-2021-3809 both have a CVSS base score of 8.8. HP hasn't released any technical details surrounding the vulnerability aside from that it lies in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution.
Luckily it seems that a security researcher Nicholas Starke who alerted HP to the vulnerabilities has posted some additional technical details on his blog.
"This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privileges over the host to further carry out attacks."
Vulnerabilities in the System Management Mode (SMM) have been discovered more often recently. Dell had vulnerabilities in the SMM requiring a BIOS update in late March. Lenovo followed only a month later with its own vulnerabilities in the SMM and also releasing new BIOS versions.
Discover Vulnerable Devices
HP's security advisory contains a list of all vulnerable devices, and the new BIOS versions released. We've used this information to create a special Lansweeper report that will provide a list of all devices in your environment that might be affected by the vulnerabilities while also listing the device's BIOS data and which BIOS version HP recommends to install to protect against these new vulnerabilities.