CVE-2019-16284
high-risk
Published 2019-11-05
A potential security vulnerability has been identified in multiple HP products and versions which involves possible execution of arbitrary code during boot services that can result in elevation of privilege. The EFI_BOOT_SERVICES structure might be overwritten by an attacker to execute arbitrary SMM (System Management Mode) code. A list of affected products and versions are available in https://support.hp.com/rs-en/document/c06456250.
Do I need to act?
-
0.30% chance of exploitation
EPSS score — low exploit probability
-
Not on CISA KEV list
No confirmed active exploitation reported to CISA
?
Patch status unknown
Check vendor advisories for fix availability and mitigation guidance
7
CVSS 7.2/10
High
NETWORK
/ LOW complexity
Affected Products (20)
260 G1 Dm Firmware
280 Pro G1 Firmware
285 G2 Firmware
340 G3 Firmware
340 G4 Firmware
346 G3 Firmware
346 G4 Firmware
348 G3 Firmware
348 G4 Firmware
Elite X2 1011 G1 Firmware
Elite X2 1012 G1 Firmware
Elitebook 1030 G1 Firmware
Elitebook 1040 G2 Firmware
Elitebook 720 G1 Firmware
Elitebook 720 G2 Firmware
Elitebook 740 G1 Firmware
Elitebook 740 G2 Firmware
Elitebook 750 G1 Firmware
Elitebook 750 G2 Firmware
Affected Vendors
References (2)
Vendor Advisory
https://support.hp.com/rs-en/document/c06456250
Vendor Advisory
https://support.hp.com/rs-en/document/c06456250
57
/ 100
high-risk
Severity
26/34 · High
Exploitability
1/34 · Minimal
Exposure
30/34 · Critical