Lakewood Retailers: Are Your Point-Of-Sale Computers Prone to Cyberattacks? | Ron Benvenisti

Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products running Point-Of-Sale (POS) programs, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities.

The two vulnerabilities are tracked as CVE-2021-3808 and CVE-2021-3809 and have a high CVSS score of 8.8. HP has credited Nicholas Starke of Aruba Threat Labs and a researcher who uses the online moniker “yngweijw” for reporting these bugs but did not provide technical information on either of the flaws.

In an advisory, HP shared a list of impacted products, which includes retail point-of-sale devices.

“Potential security vulnerabilities have been identified in the BIOS (UEFI Firmware) for certain HP PC products, which might allow arbitrary code execution. HP is releasing firmware updates to mitigate these potential vulnerabilities,” HP notes in its advisory.

An attacker can find the memory address of a specific function and overwrite it in physical memory so that it would point to attacker code. This vulnerability could allow an attacker to escalate privileges to the System Management Mode (SMM) allowing  full privileges over the host to further carry out attacks.

While firmware updates are already available for most of the affected devices, a few of them have yet to receive patches.

If you are using the products listed below please get in touch with your IT provider as soon as possible to install the fix.

Affected Retail Point-Of-Sale PCs

Product Name                                      Component Type        Minimum Version   Update                                                                                                  

HP Engage Flex Pro Retail System        BIOS               02.17.00       Rev 1   SP136502        https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136502.exe

HP Engage Flex Pro-C Retail System    BIOS               02.17.00       Rev 1   SP136502        https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136502.exe

HP Engage Go 10 Mobile System           BIOS               01.08.00       Rev 1   SP138363        https://ftp.hp.com/pub/softpaq/sp138001-138500/sp138363.exe

HP Engage Go Mobile System                BIOS               01.19.00        Rev 1   SP137074         https://ftp.hp.com/pub/softpaq/sp137001-137500/sp137074.exe

HP Engage One All-in-One System       BIOS                02.40.00      Rev 1   SP136509        https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136509.exe

HP MP9 G4 Retail System                      BIOS (Q22)      02.17.00      Rev 1    SP136575        https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136575.exe

HP MP9 G4 Retail System                      BIOS (Q35)       02.17.00     Rev 1    SP136577        https://ftp.hp.com/pub/softpaq/sp136501-137000/sp136577.exe

 

This content, and any other content on TLS, may not be republished or reproduced without prior permission from TLS. Copying or reproducing our content is both against the law and against Halacha. To inquire about using our content, including videos or photos, email us at [email protected].

Stay up to date with our news alerts by following us on Twitter, Instagram and Facebook.

**Click here to join over 20,000 receiving our Whatsapp Status updates!**

**Click here to join the official TLS WhatsApp Community!**

Got a news tip? Email us at [email protected], Text 415-857-2667, or WhatsApp 609-661-8668.

1 COMMENT

  1. Looks exactly like what we use. I forwarded to our computer company and they want to charge us for looking at each computer. Shouldn’t they keep us updated? The FTC says yes and they cannot charge plus they could pay a fine and all liability is on them. Am I being moser if they don’t fix it? We could lose a lot of money from credit card fraud.

Comments are closed.