CVE-2022-43779 — Time-of-check Time-of-use (TOCTOU) Race Condition in HP 218 PRO G5 MT Firmware

CWE-367 — Time-of-check Time-of-use (TOCTOU) Race Condition3 documents3 sources

Severity

7.0HIGHNVD

EPSS

0.1%

top 78.27%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

HP 218 PRO G5 MT Firmware HP 260 G2 Desktop Mini Firmware HP 260 G3 Desktop Mini Firmware +23 more

Timeline

PublishedFeb 12

Description

A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS) which might allow arbitrary code execution, denial of service, and information disclosure. AMI has released updates to mitigate the potential vulnerability.

CVSS vector

CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:HExploitability: 1.0 | Impact: 5.9

Affected Packages26 packages

▶CVEListV5hp_inc/hp_pc_products_using_ami_uefi_firmwareSee HP Security Bulletin reference for affected versions.

▶NVDhp/rp2_retail_system_2000_firmware< 2.24

▶NVDhp/rp2_retail_system_2020_firmware< 2.24

▶NVDhp/rp2_retail_system_2030_firmware< 2.24

▶NVDhp/348_g4_firmware< f.65

Patches

Patch: support.hp.com ↗Patch: support.hp.com ↗

🔴Vulnerability Details

GHSA

GHSA-fg8p-pjfg-p9xm: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS) wh↗2023-02-12

▶

CVEList

CVE-2022-43779: A potential Time-of-Check to Time-of-Use (TOCTOU) vulnerability has been identified in certain HP PC products using AMI UEFI Firmware (system BIOS) wh↗2023-02-03

▶