CySecurity News – Latest Information Security and Hacking Incidents
HP released updates for two high-severity flaws in the UEFI firmware of more than 200 laptops, workstations, and other products on Wednesday.
CVE-2021-3808 and CVE-2021-3809 are the two flaws, which have a CVSS score of 8.8. HP credited Aruba Threat Labs’ Nicholas Starke and a researcher going by the online handle “yngweijw” with reporting the issues but did not disclose technical details on either of the flaws.
The company did, however, provide a list of affected products, which includes a variety of corporate notebooks and desktop PCs, as well as desktop workstations, retail point-of-sale devices, and thin client PCs.
“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory.
According to Starke, HP took almost six months to fix CVE-2021-3809, the issue he disclosed. He adds that the security flaw is due to a SMI (System Management Interrupt) handler called from System Management Mode (SMM), a highly privileged x86 processor execution mode. The SMI handler, according to Starke, may be triggered from a kernel execution context like a Windows Kernel Driver, enabling a
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: