The company says the vulnerabilities, CVE-2021-3808 and CVE-2021-3809, “might allow arbitrary code execution” on systems running previous versions of the UEFI firmware. Both vulnerabilities have been rated High severity and received CVSS scores of 8.8 out of 10.
HP says the flaws affect members of numerous product lines across several device categories; a complete list is available via the security advisory. (BleepingComputer notes that not all of the affected devices have received a patch, so it’s worth keeping an eye on that advisory.)
The company doesn’t offer additional information about these vulnerabilities in the advisory, and at time of writing nor does the National Vulnerability Database. But the security researcher who discovered the flaw, Nicholas Starke, has offered some more details on their blog.
“This vulnerability could allow an attacker executing with kernel-level privileges (CPL == 0) to escalate privileges to System Management Mode (SMM),” Starke says. “Executing in SMM gives an attacker full privileges over the host to further carry out attacks.”
HP didn’t immediately respond to a request for more information about these vulnerabilities or an explanation for why it didn’t credit Starke with disclosing the flaws in the security advisory.