Ten Vulnerabilities Discovered in HP Support Assistant

Image
Decorative image
Published : 07/04/2020

Reference:
Advisory #2020-009

Version:
1.0

Affected software:
HP Support Assistant (Version 8.8 and lower)

Type:
Escalation of Privilege, Remote Code Execution (RCE)

CVE/CVSS:
CVSS 3.0 Base Metrics calculated by HP

  • CVE-2019-18919: 7.3
  • CVE-2019-18920: 5.6

Sources

https://support.hp.com/us-en/document/c06609927

https://www.forbes.com/sites/daveywinder/2020/04/07/millions-of-windows-7-8-and-10-hp-computers-vulnerable-to-hack-attack/

https://www.scmagazineuk.com/bugs-hp-support-assistant-lead-remote-code-execution-attacks/article/1679452?bulletin=sc-newswire&email_hash=&es_p=11477821

Risks

An attacker could exploit the vulnerabilities in multiple ways, including:

  • Arbitrary file deletion
  • Potential escalation of privilege
  • Remote code execution

Description

The software is pre-installed on all HP machines sold after 2012 that run Windows 7, Windows 8(.1), or Windows 10 operating systems.

The majorities of these flaws were disclosed on October 5, 2019 on which HP acted and released a patch on December 19. However there were still unpatched vulnerabilities after this date and a second report to HP was filed on January 6, 2020.

The patch was eventually released on April 1 which should fix the privilege escalation and arbitrary file deletion vulnerabilities.

Although the users are still at risk for three local privilege escalation vulnerabilities. The researcher who disclosed the flaws says that they can only be exploited after an attacker gains access to your system, lowering the risk.

Possibilities to protect your machine

  •  Enable automatic updates for HP Support Assistant
  •  Update to the latest version, although there are still three local privilege escalation bugs
  •  Uninstall the software entirely until the next patch is released, if the risk is to high for your environment

A proof-of-concept exists for these vulnerabilities which can be found on this blog.

Recommended Actions

The HP Product Security Response Team released an advisory for these vulnerabilities.

CERT.be recommends applying the patch as soon as possible and enabling automatic updates by default to reduce the risk of exploitation.

References