• ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
  • ×
    Information
    Need Windows 11 help?
    Check documents on compatibility, FAQs, upgrade information and available fixes.
    Windows 11 Support Center.
  • post a message
Guidelines
Are you having HotKey issues? Click here for tips and tricks.
HP Recommended

Is there any truth to the vulnerability discussed in

NVD - CVE-2022-23932 (nist.gov)

If so, where can I go to find out more information on what HP systems are affected?

 

1 ACCEPTED SOLUTION

Accepted Solutions
HP Recommended

@DaveK68 wrote:

Where are you getting the idea that HP released any information on this?  I cannot find any information on the HP support site.


you find all here

https://support.hp.com/us-en/security-bulletins

 

 HP PC BIOS February 2022 Security Update
CVE-2022-23956, CVE-2022-23953, CVE-2022-23954, CVE-2022-23955, CVE-2022-23957, CVE-2022-23958
Feb 28, 2022Mar 25, 2022

 

--------------------------------------------- Signature ---------------------------------------------
was this reply helpful , or just say thank you ? Click on the yes button

Please remember to mark the answers this can help other users
please click on the accept as solution button if message provided an answer to the problem




Desktop-Knowledge-Base
Windows 11 22h2 inside , user

------------------------------------------------------------------------------------------------------------

View solution in original post

5 REPLIES 5
HP Recommended

@DaveK68 -- Is there any truth to the vulnerability?

 

It is 100% truth -- unlike the content of many web-sites, such as any web-site that Russian citizens can access.

 

Potential vulnerabilities have been identified in the system BIOS of certain HP PC products which may allow Escalation of Privilege, Arbitrary Code Execution, Unauthorized Code Execution, Denial of Service, and Information Disclosure.

 

Your computer must have been compromised before any malicious software can access your computer's BIOS, to exploit the vulnerability.  So, if your computer is "safe", it is safe.

 

QUICK INFO
CVE Dictionary Entry: CVE-2022-23932
NVD Published Date: 03/11/2022
NVD Last Modified: 03/21/2022
Source: HP Inc.

 

Since HP released the notice on March 11, 2022 -- 17 days ago -- you can assume that HP was working on remediation before they published the notice.  So, check the HP Support web-page for your model of HP computer, to see how HP has blocked the vulnerability -- maybe by releasing a BIOS update, or issuing an "advisory" document.

 

 

 

 

 

HP Recommended

Where are you getting the idea that HP released any information on this?  I cannot find any information on the HP support site.

HP Recommended

@DaveK68 -- Where are you getting the idea that HP released any information on this?  

 

I found & cited that "Quick Info" information on the web-page that you cited.

On that page, see the section:

Change History:  1 change records found show changes

 

and click that hyperlink.

 

HP was following "best practices" for responsibly reacting to any suspected vulnerability:

* verify that the vulnerability exists,

* develop a response,

* release information to the public, or posting to a "CVD" site, when they are ready -- not before.

 

I cannot find any information on the HP support site.

 

That does not imply that no information has been posted, pertaining to your specific model-number.

 

HP Recommended

@DaveK68 wrote:

Where are you getting the idea that HP released any information on this?  I cannot find any information on the HP support site.


you find all here

https://support.hp.com/us-en/security-bulletins

 

 HP PC BIOS February 2022 Security Update
CVE-2022-23956, CVE-2022-23953, CVE-2022-23954, CVE-2022-23955, CVE-2022-23957, CVE-2022-23958
Feb 28, 2022Mar 25, 2022

 

--------------------------------------------- Signature ---------------------------------------------
was this reply helpful , or just say thank you ? Click on the yes button

Please remember to mark the answers this can help other users
please click on the accept as solution button if message provided an answer to the problem




Desktop-Knowledge-Base
Windows 11 22h2 inside , user

------------------------------------------------------------------------------------------------------------
HP Recommended

Related:

 

I'm a big believer in keeping our HP workstation's BIOS updated.  The safest way to do that is to update BIOS from within BIOS... I have posted here on that both in terms of how to do it, and how to locate the BIOS-update .bin file inside the unpacked HP BIOS update SoftPaq.  This is especially the case if you have an old BIOS updater written for a BIOS update from within the OS written for the XP or W7 era, and you're running W10.  There are circumstances where that is the case. To expect that old in-OS BIOS updater program from long ago to work perfectly from within W10 is asking for trouble. To brick your motherboard is a bad thing.

 

BIOS updates used to be for bug fixes and to add in compatibility for newer processors that did not exist when your older BIOS was written.  It has evolved quite a bit, to include security fixes at a BIOS level.  Some people just don't get this, including some of our own IT guys.  I have a friend who says to me sometimes... "Come out of your mud hut". I sometimes deserve that.

 

An example: For the Z440/Z640/ Z840 family of workstations a new BIOS was released by HP 1/18/22. It is, per HP, for W7, W8.1, W10, and W11, all versions. Here is from the HP release document:

ENHANCEMENTS:
- Includes enhancements to mitigate security vulnerabilities CVE-2021-0092, CVE-2021-0099, CVE-2021-0103, CVE-2021-0107, CVE-2021-0111, CVE-2021-0114, CVE-2021-0115, CVE-2021-0116, CVE-2021-0117, CVE-2021-0118, CVE-2021-0124, CVE-2021-0125, CVE-2021-3661, CVE-2021-39297, and CVE-2021-39301.
- Updates Intel processor microcode to 0x49 for Xeon E5 v3 processors and 0x40 for Xeon E5 v4 processors.
- Updates Intel TXT BIOS ACM to v3.1.3
- Updates Intel TXT SINIT ACM to v3.1.6
- Updates UEFI Diagnostics to v2.2.7.0

 

In this day and age if you think you don't need that... come out of your mud hut. My guess is that we'll be seeing more of this type of BIOS updates.

 

 

† The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the <a href="https://www8.hp.com/us/en/terms-of-use.html" class="udrlinesmall">Terms of Use</a> and <a href="/t5/custom/page/page-id/hp.rulespage" class="udrlinesmall"> Rules of Participation</a>.