Headline
Your HP Support Assistant needs an update!
Categories: Exploits and vulnerabilities Categories: News Tags: HP Support Assistant
Tags: DLL hijacking
Tags: SYSTEM privileges
Tags: CVE-2022-38395
HP has issued a new version of its HP Support Assistant tool because of a high severity DLL hijacking vulnerability.
(Read more…)
The post Your HP Support Assistant needs an update! appeared first on Malwarebytes Labs.
HP has issued a new version of its HP Support Assistant tool. Users of HP Support Assistant versions earlier than 9.11 and Fusion versions earlier than 1.38.2601.0 are affected by a high severity vulnerability. According to HP it is possible for an attacker to exploit a dynamic-link library (DLL) hijacking vulnerability and elevate privileges at launch of the HP Performance Tune-up.
The HP Support Assistant is a handy software utility provided by HP so that users can download and install necessary firmware and software, check performance-related metrics, and run some basic troubleshooting. The software comes pre-installed on all HP laptops and desktop computers.
HP Support Assistant uses HP Performance Tune-up as a diagnostic tool and launches it using Fusion. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
The vulnerability was assigned a high severity rating with a CVSS v3.1 base score of 8.2 out of 10. The vulnerability is listed as CVE-2022-38395.
DLL hijacking
All Windows systems use a common method to search for the DLLs an application needs to load. The first two locations it will look for DLLs in an environment that uses the SafeDllSearchMode are:
- The directory the application was loaded from
- The system directory
DLL hijacking relies on the application loading the first DLL it finds that matches what it’s looking for. Attackers create a malicious library with the same name as a DLL required by the application and then put it in a directory that is searched before the one containing its namesake. If this is successful the attacker can run their malicious DLL code with the same privileges as the main process. To hide their tracks attackers may also load the legitimate DLL from their malicious code, so that the application continues to behave normally.
Since the HP Support Assistant runs with SYSTEM privileges this could be very beneficial to an attacker. SYSTEM privileges are slightly different from, but at roughly the same level as, Administrator permissions, especially when it comes to the file system.
Mitigation
HP recommends that customers update to the latest version of HP Support by turning on automatic updates in the HP Support Assistant settings. Alternately, customers can also get the latest version from the HP Support Assistance page.
Those using the older version 8.x won’t receive a security update, so they are advised to move to the newer branch. To do that, open the software, go to the About section, and click Check for updates.
Another option is to remove the HP Support Assistant software completely. You can always download the latest version if and when you need it.
Related news
HP Support Assistant uses HP Performance Tune-up as a diagnostic tool. HP Support Assistant uses Fusion to launch HP Performance Tune-up. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.
Plus: WhatsApp plugs holes that could be used for remote execution attacks, Microsoft patches a zero-day vulnerability, and more.
A number of firmware security flaws uncovered in HP's business-oriented high-end notebooks continue to be left unpatched in some devices even months after public disclosure. Binarly, which first revealed details of the issues at the Black Hat USA conference in mid-August 2022, said the vulnerabilities "can't be detected by firmware integrity monitoring systems due to limitations of the Trusted