These HP computer vulnerabilities have been unpatched for over a year


A great way to protect your data and personal information from cybercriminals is to keep your devices up to date. Microsoft and Apple regularly push out updates that fix vulnerabilities, but it’s your responsibility to ensure your gadgets get those updates.

Some internal computer components run on firmware from the hardware manufacturer, such as the Wi-Fi adapter, Bluetooth connections or memory modules. So, if HP or another manufacturer detects a problem with one of their components, they issue a firmware update.

Many assume it happens as quickly as possible, but that isn’t always the case. Read on to see how HP let several vulnerabilities lapse, opening the door to cybercriminals.

Here’s the backstory

It seems that HP has a habit of leaving vulnerabilities unpatched or just not acting fast enough. For example, late last year, the company let users know of a dangerous vulnerability that can give hackers access to your machine by exploiting an Escalation of Privilege and Denial of Service flaw.

In July last year, security researchers at Binarly also notified HP of three vulnerabilities in its firmware and gave details on three more firmware vulnerabilities in April this year. However, according to the researchers, only a few flaws have been patched.

That still leaves thousands of users open to attack through System Management Module memory corruptions. The six flaws found are:

  • CVE-2022-23930: Stack-based buffer overflow leading to arbitrary code execution.
  • CVE-2022-31644: Out-of-bounds write on CommBuffer, allowing partial validation bypassing.
  • CVE-2022-31645: Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler.
  • CVE-2022-31646: Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution.
  • CVE-2022-31640: Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications.
  • CVE-2022-31641: Callout vulnerability in the SMI handler leading to…

Source…