Do you use an HP laptop, desktop, or POS terminal?
HP recently released a BIOS update to address a pair of high-severity vulnerabilities that affect a wide range of PC and notebook products offered by the company. In both cases, the vulnerabilities would allow an attacker to execute code arbitrarily and with Kernel level privileges.
The two flaws are being tracked as CVE-2021-3808 and CVE-2021-3809 respectively, and both bear a CVSS 3.1 score of 8.8 which makes them both serious issues indeed.
Worse, the two issues impact more than 200 models of HP equipment, including Zbook Studio, ZHAN Pro, EliteBook, ProBook, Elite Dragonfly, business desktop PCs like the EliteDesk and ProDesk, retail PoS computers like the Engage, workstations like the Z1 and Z2, and thin client PCs.
For a comprehensive listing of impacted products, please refer to HP's security advisory page and scan for the product you own.
Security researcher Nicholas Starke has done a deep dive into both issues.
Starke had this to say about the vunerability
"This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM). Executing in SMM gives an attacker full privilege over the host to further carry out attacks."
HP has been having a tough time of things lately. Just two months ago, the company released a BIOS update that addressed sixteen separate flaws. Three months before that, they released a BIOS update that addressed a completely different set of flaws.
Kudos to HP for their time and attention to this matter. However, one has to wonder what has broken down in their core development process that allowed so many serious BIOS flaws to slip through undetected in the first place?
My perspective
Unfortunately, there's no word on that but if you haven't yet applied the latest security update, you'll definitely want to apply this one as soon as possible.
"Life is what happens when you're busy making other plans." -John Lennon
By Denis Wilson
Thanks for reading this post. I always take into mind that your time and attention are precious. And these posts need to be timely, to the point, and short.
For more tips on thriving with small business technology, check out the other blog posts at DWPIA Blogs. You can also find me on LinkedIn, Facebook, and Twitter.
I am also a published author and speaker on cloud computing, work-at-home, and cybersecurity. I work extensively with business and professional associations to provide free small business technology education programs.
Contact me if you would like me to speak to your association
