As reported by Bleeping Computer, HP has issued an advisory over potential security vulnerabilities that could allow arbitrary code execution with Kernel privileges, which would enable hackers to access to a device’s BIOS and plant malware that can’t be removed by traditional antivirus software or reinstalling the operating system. Both the vulnerabilities—CVE-2021-3808 and CVE-2021-3809—have a high-severity CVSS 3.1 base score of 8.8. HP hasn’t revealed any technical details about the vulnerabilities. That was left to security researcher Nicholas Starke, who discovered them but has not been credited by HP despite being told they would be. “This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM),” Starke wrote. “Executing in SMM gives an attacker full privileges over the host to further carry out attacks.” Starke added that there are mitigations in some HP models that would need to be bypassed for the vulnerabilities to work, including HP Sure Start system, which detects when the firmware runtime has been tampered with.
One of the affected devices: the HP Elite Dragonfly The extensive list of devices affected by the vulnerabilities includes business notebook PCs such as the Elite Dragonfly and several EliteBooks and ProBooks; business desktop PCs, including the EliteDesk and EliteOne; retail point-of-sale PCs like the Engage; desktop workstation PCs (Z1, Z2 lines); and four thin client PCs. You can see the complete list of affected HP devices and the corresponding SoftPaqs here. Not all of them have received the updates yet.