HP published a vulnerability report about a TOCTOU flaw impacting HP PC products. The HP products using AMI UEFI Firmware – system BIOS were found to be impacted by this TOCTOU vulnerability in HP products.
Time-of-check to time-of-use (TOCTOU) refers to a category of software bugs that occur in software development due to a race condition.
This condition occurs when there is a check performed on a certain component of a system, such as a security credential, followed by the use of the results from that check.
More about the TOCTOU vulnerability in HP
The TOCTOU vulnerability in HP was considered high severity and it was addressed and published on June 20.
The vulnerability impacting HP PC products was assigned a base score of 7.5. No NIST reports were found for the HP vulnerability CVE-2023-26299 so far.
Its base vector was CVSS:3.1/AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H. Updates were released by AMI to mitigate the risk of exploitation in the hands of cybercriminals.
Vulnerable products, other details about the TOCTOU vulnerability in HP PC products
“HP has identified affected platforms and corresponding SoftPaqs with minimum versions that mitigate the potential vulnerability,” the HP Support page read.
Users can find the details of the impacted versions and products under the respective category namely Business Desktop PCs, Thin Client PCs, Consumer Notebook PCs, and Consumer Desktop PCs. The respective SoftPaq downloads can also be found alongside the name of the product.
Some of the impacted products were as follows –
- HP 260 G4 Desktop Mini PC with the Minimum version of 2.14 – Business Desktop PC
- HP t430 Thin Client with the Minimum version of 00.01.11 – Thin Client PCS
- HP t628 Thin Client with the Minimum version of 00.01.10 – Thin Client PCS
- HP 14-cf3xxx,14tcf300 with the Minimum version of F.22 – Consumer Notebook PCS
- HP 190-0xxx with the Minimum version of F.35 – Consumer Desktop PCS
HP TOCTOU vulnerabilities and their impact
(Photo: Medium/Sreeprakash Neelakantan)
Time-of-Check to Time-of-Use – TOCTOU vulnerabilities can impact not just the software but also the hardware. TOCTOU also called race condition timing attacks are caused due to logical errors in the design of the software or the hardware.
“In a TOCTOU attack, an attacker exploits the timing and order of events to gain unauthorized access to a resource or execute unintended operations,” as explained in a Packetlabs report.
Since a cyber attack using the TOCTOU vulnerability depends on the time taken for a resource to be checked and used, it is important to detect and patch such vulnerabilities promptly.
Hackers edit the resource in the time gap and can run arbitrary codes across the network. They can change the information in a program, gain unauthorized access and use administrative controls. Such attacks can also lead to a system crash.
Preventing threats from TOCTOU vulnerability in HP products
Patching vulnerable software is recommended to prevent cyber attacks. Reiterating on the need to patch in case of third-party vendors, the HP Support page read, “Third party security patches that are to be installed on systems running HP software products should be applied in accordance with the customer’s patch management policy.”
Third-party security is essential to data protection, especially in the age of ransomware attacks launched by the likes of Cl0p hackers. Cl0p which targeted MOVEit file-sharing platform gained access to hundreds of its clients.
