| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Thu, 27 Oct 2016 19:23:19 +0000
From: HP Security Alert <hp-security-alert@...com>
To: Undisclosed recipients: ;
Subject: [security bulletin] HPSBHF3549 ThinkPwn UEFI BIOS SmmRuntime
Escalation of Privilege
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Note: the current version of the following document is available here:
https://h20565.www2.hp.com/hpsc/doc/public/display?docId=emr_na-c05239646
SUPPORT COMMUNICATION - SECURITY BULLETIN
Document ID: c05239646
Version: 1
HPSBHF3549 ThinkPwn UEFI BIOS SmmRuntime Escalation of Privilege
NOTICE: The information in this Security Bulletin should be acted upon as soon
as possible.
Release Date: 2016-08-17
Last Updated: 2016-08-25
Potential Security Impact: System downtime, or privilege escalation.
Source: HP, HP Product Security Response Team (PSRT)
VULNERABILITY SUMMARY
A security vulnerability identified with UEFI firmware, dubbed ThinkPwn, has
been addressed in certain HP commercial notebook PCs and HP consumer notebook
PCs. The vulnerability could be exploited to run arbitrary code in System
Management Mode, resulting in elevation of privilege or denial of service.
References: CVE TBD PSR-2016-0068
SUPPORTED SOFTWARE VERSIONS*: ONLY impacted versions are listed.
See impacted products listed in the Resolution section of this document.
BACKGROUND
For a PGP signed version of this security bulletin please write to:
hp-security-alert@...com
CVSS 2.0 Base Metrics
Reference Base Vector Base Score
CVE-TBD Temp (AV:N/AC:H/Au:S/C:C/I:C/A:C) Temp 7.1
Information on CVSS is documented in HP Customer Notice: HPSN2008002.
RESOLUTION
HP has provided firmware updates to address the vulnerability for HP PCs with
UEFI Firmware.
To acquire the firmware updates, go to hp.com and complete the following steps:
1. On hp.com, select Support and then select Download Drivers.
2. Enter your product name or number in the Find my product field.
3. Choose the product from the returned search results.
4. Choose the operating system.
5. Under the Download Index, select BIOS, and download the BIOS version as
listed in the table below.
6. Follow the installation instructions to install the firmware update.
HP Commercial Notebook PC, Mobile Thin Client and BIOS HP SoftPaq
Tablet Model Version Number
HP EliteBook 725 G2 Notebook PC 01.42 sp76950
HP EliteBook 745 G2 Notebook PC 01.42 sp76950
HP EliteBook 755 G2 Notebook PC 01.42 sp76950
HP mt41 Mobile Thin Client 01.41 sp76955
HP ProBook 4435s Notebook PC F.63 sp76954
HP ProBook 4436s Notebook PC F.63 sp76954
HP ProBook 4445s Notebook PC F.64 sp76961
HP ProBook 4446s Notebook PC F.64 sp76961
HP ProBook 445 G1 Notebook PC F.64 sp76956
HP ProBook 445 G2 Notebook PC 01.41 sp76953
HP ProBook 4535s Notebook PC F.63 sp76954
HP ProBook 4545s Notebook PC F.64 sp76961
HP ProBook 455 G1 Notebook PC F.64 sp76956
HP ProBook 455 G2 Notebook PC 01.41 sp76953
HP ProBook 645 G1 Notebook PC 01.41 sp76945
HP ProBook 6465b Notebook PC F.63 sp76967
HP ProBook 6475b Notebook PC F.65 sp76962
HP ProBook 655 G1 Notebook PC 01.41 sp76945
HP ProBook 6565b Notebook PC F.63 sp76967
HP Consumer and SMB Notebooks BIOS HP SoftPaq
Version Number
HP Pavilion 13-p100 thru 13-p199 x2 (AMD) F.0A sp76822
HP Pavilion 13z-p100 x2 (AMD) F.0A sp76822
HP Pavilion 14-a000 thru 14-a099 (Intel) F.27 sp76846
HP Pavilion 14-e000 thru 14-e199 (Intel) F.27 sp76846
HP Pavilion 14-f000 thru 14-f099 Sleekbook (AMD) F.0B sp76823
HP Pavilion 14-n000 thru 199 (Intel) F.70 sp76803
HP Pavilion 14-n200 thru 299 (Intel) F.70 sp76803
HP Pavilion 14t-a000 (Intel) F.27 sp76846
HP Pavilion 14t-e100 (Intel) F.27 sp76846
HP Pavilion 14t-n100 (Intel) F.70 sp76803
HP Pavilion 14t-n200 (Intel) F.70 sp76803
HP Pavilion 14z-f000 Sleekbook (AMD) F.0B sp76823
HP Pavilion 15-e000 thru 15-e099 (Intel) F.27 sp76846
HP Pavilion 15-e100 thru 15-e199 (Intel) F.27 sp76846
HP Pavilion 15-n000 thru 199 (Intel) F.70 sp76803
HP Pavilion 15-n200 thru 299 (Intel) F.70 sp76803
HP Pavilion 15t-e000 (Intel) F.27 sp76846
HP Pavilion 15t-e100 (Intel) F.27 sp76846
HP Pavilion 15t-n100 (Intel) F.27 sp76846
HP Pavilion 15t-n200 (Intel) F.70 sp76803
HP Pavilion 17-e000 thru 17-e099 (Intel) F.27 sp76846
HP Pavilion 17-e100 thru 17-e199 (Intel) F.27 sp76846
HP Pavilion 17t-e000 (Intel) F.27 sp76846
HP Pavilion 17t-e100 (Intel) F.27 sp76846
HP Pavilion TouchSmart 14-f000 thru 14-f099 F.0B sp76823
Sleekbook
HP Pavilion TouchSmart 14-n000 thru 199 Ultrabook F.70 sp76803
(Intel)
HP Pavilion TouchSmart 14-n000 thru 299 (Intel) F.70 sp76803
HP Pavilion TouchSmart 14-n200 thru 299 Ultrabook F.70 sp76803
(Intel)
HP Pavilion TouchSmart 14t-n100 (Intel) F.70 sp76803
HP Pavilion TouchSmart 14t-n100 Ultrabook (Intel) F.70 sp76803
HP Pavilion TouchSmart 14t-n200 (Intel) F.70 sp76803
HP Pavilion TouchSmart 14t-n200 Ultrabook (Intel) F.70 sp76803
HP Pavilion TouchSmart 14z-f000 Sleekbook (AMD) F.0B sp76823
HP Pavilion TouchSmart 15-n000 thru 15-n299 F.70 sp76803
(Intel)
HP Pavilion TouchSmart 15t-n100 (Intel) F.70 sp76803
HP Pavilion TouchSmart 15t-n200 (Intel) F.70 sp76803
System management and security procedures must be reviewed frequently to
maintain system integrity. HP is continually reviewing and enhancing the
security features of software products to provide customers with current secure
solutions.
"HP is broadly distributing this Security Bulletin in order to bring to the
attention of users of the affected HP products the important security
information contained in this Bulletin. HP recommends that all users determine
the applicability of this information to their individual situations and take
appropriate action. HP does not warrant that this information is necessarily
accurate or complete for all user situations and, consequently, HP will not be
responsible for any damages resulting from user's use or disregard of the
information provided in this Bulletin. To the extent permitted by law, HP
disclaims all warranties, either express or implied, including the warranties
of merchantability and fitness for a particular purpose, title and
non-infringement."
REVISION HISTORY
Version 1 2016-08-09
Copyright 2016 Hewlett-Packard Development Company, L.P.
Hewlett-Packard Company shall not be liable for technical or editorial errors
or omissions contained herein. The information provided is provided "as is"
without warranty of any kind. To the extent permitted by law, neither HP or its
affiliates, subcontractors or suppliers will be liable for incidental,special
or consequential damages including downtime cost; lost profits;damages relating
to the procurement of substitute products or services; or damages for loss of
data, or software restoration. The information in this document is subject to
change without notice. Hewlett-Packard Company and the names of Hewlett-Packard
products referenced herein are trademarks of Hewlett-Packard Company in the
United States and other countries. Other product and company names mentioned
herein may be trademarks of their respective owners.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2
iQIcBAEBCAAGBQJYElOHAAoJEPRuzn0I+N3ZBqYQAJGSgloCzeuYUGUbiR/SgZJD
zjI5YTVjy33QLI+BHwDizylpS5s7i9lcic++RcyspfRCBwK/gWVfh1q4Zb8kxyBq
xruvGzdG+PfAMPwVhFWDIxLsQAMPUD3/lLt3RimTKiVP70gGWwlaeTJBwDfe4vZh
S6LeYg9G/R0/EFDnUxN6sMTVAsICo2f5/puzkUk1pshFDJQ5mR9Se1lrOgHL0jHl
Hw2pHey8JmTUI+ORzow82qpJ5BFwmzSz5h5lTGoiuhypWkoamzxAnel4vZrQroFT
2uSB8a2P3Ri1IgP1CgOKOOBrGpXdcZLOk/58KgxZTcdCJIRBVlRFPxrGlOSr4iDP
UxEHpGoCcFAT2pC+Q6HWfAEM2ctfjWDZKRvaHcDo6dosHwE+vUHNCt3I5su4M7nn
111kMWhN8yEKZLWoyyX8xCZQSGbW2vEH/iigI4jivbPayr4p19i/C196Z+odAWzg
jAF9FA71QneIyVNkyD835LZhIA7mdbMPNlAnP/atuds7ITDfPV57hVWPx0L6YUgH
HD2uFIAzX3NnLpTIO550IedPVb8PRWwZCo46D6P4WYReJbboZ5Jgx66Iud59kCOR
RlWEQQ0KZ/9u73VfMP3RqUGMC0LezP0nLuJ9Wgb/zo9naUXAfGO5DLPDTDMFjgSs
rGtaxS1YeGRPKhs6DJOQ
=cB28
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists