A set of six high-severity firmware vulnerabilities impacting a broad range of HP devices used in enterprise environments are still waiting to be patched. The flaws discovered recently are all SMM (System Management Module) memory corruption problems leading to arbitrary code execution.

A report highlighted that even though it’s been a month since they made some of the flaws public at Black Hat 2022, it hasn’t released security updates for all impacted models, leaving many customers exposed to attacks.

The six flaws that HP has left unpatched for months are:

· CVE-2022-23930 – Stack-based buffer overflow leading to arbitrary code execution.

· CVE-2022-31644 – Out-of-bounds write on CommBuffer, allowing partial validation bypassing.

· CVE-2022-31645 – Out-of-bounds write on CommBuffer based on not checking the size of the pointer sent to the SMI handler.

· CVE-2022-31646 – Out-of-bounds write based on direct memory manipulation API functionality, leading to privilege elevation and arbitrary code execution.

· CVE-2022-31640 – Improper input validation giving attackers control of the CommBuffer data and opening the path to unrestricted modifications.

· CVE-2022-31641 – Callout vulnerability in the SMI handler leading to arbitrary code execution.

SMM is part of the UEFI firmware that provides system-wide functions like low-level hardware control and power management. HP has released three security advisories acknowledging the mentioned vulnerabilities, along with an equal number of BIOS updates addressing the issues for some of the impacted models.