The unencrypted password was able to be accessed by CMOS tools.
Source: HP, HP Product Security Response Team (PSRT)
Reported By: Bader Zaidan
A BIOS password extraction vulnerability has been reported on certain consumer notebooks. The BIOS password was stored in CMOS in a way that allowed it to be extracted. This applies to consumer notebooks launched in early 2014.
HP has released the following softpaqs to mitigate the issue:
Marketing Name
|
Latest BIOS rev.
|
Softpaq No.
|
FTP Link
—|—|—|—
HP 240 G1 Notebook PC
|
F.48
|
TBU
|
TBU
HP 245 G1 Notebook PC
|
F.48
|
TBU
|
TBU
HP 1000-1300~1000-1399 Notebook PC
|
F.48
|
TBU
|
TBU
Compaq CQ45-900~CQ45-999 Notebook PC
|
F.48
|
TBU
|
TBU
HP 250 G1 Notebook PC
|
F.47
|
TBU
|
TBU
HP 255 G1 Notebook PC
|
F.47
|
TBU
|
TBU
HP ENVY (TouchSmart) 15-j000~j099 Notebook PC
|
F.22
|
SP84266
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84266.exe>
HP ENVY (TouchSmart) 15-j100~j199 Notebook PC
|
F.71
|
TBU
|
TBU
HP Pavilion (TouchSmart) 15-n000~199 Notebook PC
|
F.72
|
TBU
|
TBU
HP 246 Notebook PC
|
F.04
|
TBU
|
TBU
HP 455 Notebook PC
|
F.08
|
TBU
|
TBU
HP ENVY (TouchSmart) 17-j100~j199 Notebook PC
|
F.71
|
TBU
|
TBU
HP ENVY (TouchSmart) 17-j100 ~ j199 Leap Motion SE Notebook PC
|
F.71
|
TBU
|
TBU
HP Split 13-g200~299 x2 PC
|
F.25
|
SP84274
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84274.exe>
HP ENVY (TouchSmart) 100~15-j199 Notebook PC
|
F.22
|
SP84266
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84266.exe>
HP Pavilion (TouchSmart) 14-n000~199 Notebook PC
|
F.72
|
TBU
|
TBU
HP ENVY (TouchSmart) 14-k100~14-k199 Sleekbook
|
F.22
|
TBU
|
TBU
HP ENVY TouchSmart 14-k100~14-k199 Ultrabook
|
F.22
|
TBU
|
TBU
HP Spectre x2 13-SMB Pro
|
F.25
|
SP84274
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84274.exe>
HP Spectre 13-h200~299 x2 PC
|
F.25
|
SP84274
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84274.exe>
HP Pavilion 15-n200~299 (TouchSmart) Notebook PC
|
F.72
|
TBU
|
TBU
HP Pavilion 15-n300~399 (TouchSmart) Notebook PC
|
F.72
|
TBU
|
TBU
HP ENVY m6-n000~n099 Notebook PC
|
F.26
|
SP84537
|
<http://ftp.hp.com/pub/softpaq/sp84501-85000/sp84537.exe>
HP 255 G3 Notebook PC
|
F.45
|
SP84257
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84257.exe>
HP 14-g000~g099 Notebook PC
|
F.45
|
SP84257
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84257.exe>
Compaq 14-h000~h099
|
F.45
|
SP84257
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84257.exe>
HP Pavilion 11-n000~n099 x360 PC
|
F.2E
|
SP84131
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84131.exe>
HP 15-r000~r099 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>
HP 15-r500~r599 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>
HP Pavilion 10-f000~f099 Notebook PC
|
F.0E
|
TBU
|
TBU
HP G14-a000~a099 Notebook PC
|
F.06
|
SP84377
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84377.exe>
HP 14-r000~r099 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>
Compaq 14-s000~s099 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>
HP 240 G3 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>
HP 246 G3 Notebook PC
|
F.43
|
SP84418
|
<http://ftp.hp.com/pub/softpaq/sp84001-84500/sp84418.exe>