HP mended a vulnerability found in the HP Touchpoint Analytics software established by default on most HP computers operating Windows, a flaw enabling attackers to escalate facilities and execute arbitrary code utilizing SYSTEM privileges.
HP TouchPoint Analytics is a software that arrives pre-installed on most HP PCs in the form of a Windows service operating with top-level ‘NT AUTHORITY\SYSTEM’ permissions and constructed to collect hardware performance diagnostic information anonymously.
The local privilege escalation (LPE) exposure tracked as CVE-2019-6333 was discovered in the Open Hardware Monitor library utilized by HP’s monitoring software.
CVE-2019-6333 enables potential attackers to enforce malicious payloads utilizing system-level privileges and to demolish anti-malware detection by bypassing app whitelisting, a method generally used to prevent the performance of unknown or potentially vicious apps.
DLL search-order hijacking drawbacks like this are commonly exploited in the later stage of malicious assaults after the targeted machines have already been penetrated, making it feasible to elevate permissions to increase persistence and further jeopardize the now compromised network.
“HP Touchpoint Analytics boats as a default monitoring component of maximum HP Windows laptops and desktops,” as said by SafeBreach.
“HP repaired the vulnerability but SafeBreach researchers think that any machine utilizing the Open Hardware Library was in danger.”
The vulnerability found out by SafeBreach Labs security experimenter Peleg Hadar and documented to HP on July 4 impacts all editions of HP Touchpoint Analytics Client under 18.104.22.16827.
Hadar tells that the security problem is caused by the absence of safe DLL loading resulted in by using an uncontrolled search way and by not assessing if the DLLs it loads are ratified with digital certificates.
The experimenter discovered that the HP Touchpoint Analytics assistance — that arrives with high-permission-level entry to the computer’s hardware — packs a signed Open Hardware Monitor 3rd-party archive and three losing DLLs named atiadlxx.dll, atiadlxy.dll, and Nvapi64.dll from files within the Windows PATH environment variable.