HP has issued an advisory regarding potential security limitations that may allow arbitrary code execution with Kernel privileges, which would enable hackers to access to a device''s BIOS and plant malware that cannot be removed by traditional antivirus software or reinstalling the operating system.
Both the vulnerabilitiesCVE-2021-3808 and CVE-2021-3809 have a high-severity CVSS 3.1 base score of 8.8.
HP hasn''t revealed any technical details about the vulnerabilities. Nicholas Starke, a security researcher, who discovered them, but has not been credited by HP despite being warned they would be.
"This vulnerability may allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM),," Starke wrote. "Executing in SMM gives an attacker full privileges over the host to continue attacks."
Starke said that some HP models should be bypassed for vulnerabilities, including the HP Sure Start system, which detects when firmware runtime has been hampered.
One of the problems with the HP Elite Dragonfly is the HP Elite Dragonfly.
Business notebook PCs like the Elite Dragonfly, and several EliteBooks and ProBooks are included on the extensive list of affected devices, including EliteDesk and EliteOne, retail point-of-sale PCs like Engage, desktop workstation PCs (Z1, Z2 lines) and four thin client PCs.
Here''s the complete list of affected HP devices and the corresponding SoftPaqs. Not all of them have received the updates yet.