-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
-
×InformationNeed Windows 11 help?Check documents on compatibility, FAQs, upgrade information and available fixes.
Windows 11 Support Center. -
- HP Community
- Desktops
- Business PCs, Workstations and Point of Sale Systems
- BIOS vulnerability?

Create an account on the HP Community to personalize your profile and ask a question
03-28-2022 09:45 AM
Is there any truth to the vulnerability discussed in
NVD - CVE-2022-23932 (nist.gov)
If so, where can I go to find out more information on what HP systems are affected?
Solved! Go to Solution.
Accepted Solutions
03-28-2022 12:08 PM
@DaveK68 wrote:Where are you getting the idea that HP released any information on this? I cannot find any information on the HP support site.
you find all here
https://support.hp.com/us-en/security-bulletins
HP PC BIOS February 2022 Security Update | CVE-2022-23956, CVE-2022-23953, CVE-2022-23954, CVE-2022-23955, CVE-2022-23957, CVE-2022-23958 | Feb 28, 2022 | Mar 25, 2022 |
was this reply helpful , or just say thank you ? Click on the yes button
Please remember to mark the answers this can help other users
Desktop-Knowledge-Base
Windows 11 22h2 inside , user
------------------------------------------------------------------------------------------------------------
03-28-2022 10:12 AM
@DaveK68 -- Is there any truth to the vulnerability?
It is 100% truth -- unlike the content of many web-sites, such as any web-site that Russian citizens can access.
Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.
Your computer must have been compromised before any malicious software can access your computer's BIOS, to exploit the vulnerability. So, if your computer is "safe", it is safe.
QUICK INFO
CVE Dictionary Entry: CVE-2022-23932
NVD Published Date: 03/11/2022
NVD Last Modified: 03/21/2022
Source: HP Inc.
Since HP released the notice on March 11, 2022 -- 17 days ago -- you can assume that HP was working on remediation before they published the notice. So, check the HP Support web-page for your model of HP computer, to see how HP has blocked the vulnerability -- maybe by releasing a BIOS update, or issuing an "advisory" document.
03-28-2022 10:38 AM - edited 03-28-2022 10:40 AM
@DaveK68 -- Where are you getting the idea that HP released any information on this?
I found & cited that "Quick Info" information on the web-page that you cited.
On that page, see the section:
Change History: 1 change records found show changes
and click that hyperlink.
HP was following "best practices" for responsibly reacting to any suspected vulnerability:
* verify that the vulnerability exists,
* develop a response,
* release information to the public, or posting to a "CVD" site, when they are ready -- not before.
I cannot find any information on the HP support site.
That does not imply that no information has been posted, pertaining to your specific model-number.
03-28-2022 12:08 PM
@DaveK68 wrote:Where are you getting the idea that HP released any information on this? I cannot find any information on the HP support site.
you find all here
https://support.hp.com/us-en/security-bulletins
HP PC BIOS February 2022 Security Update | CVE-2022-23956, CVE-2022-23953, CVE-2022-23954, CVE-2022-23955, CVE-2022-23957, CVE-2022-23958 | Feb 28, 2022 | Mar 25, 2022 |
was this reply helpful , or just say thank you ? Click on the yes button
Please remember to mark the answers this can help other users
Desktop-Knowledge-Base
Windows 11 22h2 inside , user
------------------------------------------------------------------------------------------------------------
03-28-2022 12:10 PM - edited 03-28-2022 12:14 PM
Related:
I'm a big believer in keeping our HP workstation's BIOS updated. The safest way to do that is to update BIOS from within BIOS... I have posted here on that both in terms of how to do it, and how to locate the BIOS-update .bin file inside the unpacked HP BIOS update SoftPaq. This is especially the case if you have an old BIOS updater written for a BIOS update from within the OS written for the XP or W7 era, and you're running W10. There are circumstances where that is the case. To expect that old in-OS BIOS updater program from long ago to work perfectly from within W10 is asking for trouble. To brick your motherboard is a bad thing.
BIOS updates used to be for bug fixes and to add in compatibility for newer processors that did not exist when your older BIOS was written. It has evolved quite a bit, to include security fixes at a BIOS level. Some people just don't get this, including some of our own IT guys. I have a friend who says to me sometimes... "Come out of your mud hut". I sometimes deserve that.
An example: For the Z440/Z640/ Z840 family of workstations a new BIOS was released by HP 1/18/22. It is, per HP, for W7, W8.1, W10, and W11, all versions. Here is from the HP release document:
ENHANCEMENTS:
- Includes enhancements to mitigate security vulnerabilities CVE-2021-0092, CVE-2021-0099, CVE-2021-0103, CVE-2021-0107, CVE-2021-0111, CVE-2021-0114, CVE-2021-0115, CVE-2021-0116, CVE-2021-0117, CVE-2021-0118, CVE-2021-0124, CVE-2021-0125, CVE-2021-3661, CVE-2021-39297, and CVE-2021-39301.
- Updates Intel processor microcode to 0x49 for Xeon E5 v3 processors and 0x40 for Xeon E5 v4 processors.
- Updates Intel TXT BIOS ACM to v3.1.3
- Updates Intel TXT SINIT ACM to v3.1.6
- Updates UEFI Diagnostics to v2.2.7.0
In this day and age if you think you don't need that... come out of your mud hut. My guess is that we'll be seeing more of this type of BIOS updates.