Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Support Framework Bug Allows Arbitrary File Downloads, Data Harvesting

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

The flaw, which can be exploited with minimal user interaction, was uncovered last month by security researcher Tom Forbes, who noticed that the authentication mechanism used by the HP product detection software can be easily bypassed, allowing a malicious actor to carry out various actions.

HP’s support website allows users to identify their products and find the appropriate drivers and updates via the HP Support Solution Framework. This piece of software is capable of collecting system information, reading files and registry keys, obtaining information on installed devices and drivers, and initiating file downloads via the HP Download and Install Assistant.

The problem, according to Forbes, is that the software authenticates valid requests only by checking if they originate from a hostname ending in “hp.com.” The expert has noted that an attacker could simply register a domain such as “nothp.com” and his malicious requests would be accepted.

An attacker can exploit this bug to trigger arbitrary file downloads through the HP Download and Install Assistant. The downloaded software cannot be executed without the user pressing the “Install” button, but since the attacker can modify the name of the file that is being downloaded, it’s likely that at least inexperienced users would take the bait.

“If an inexperienced user were to visit a malicious page that looked like a real HP site telling them to update their software and the HP download manager pops up I think many might press install, which would execute the attacker’s malware and compromise their machines. For some advanced malware merely being downloaded could be enough,” Forbes explained in a blog post.

An attacker can also exploit the HP Support Solution Framework vulnerability to harvest user information, such as files, registry keys and system data. The researcher has pointed out that while this attack could be more dangerous, it’s more complex and targeted.

For this attack to work, a malicious actor would have to find a way to get the application to connect to their server instead of HP’s server. This can be achieved through a DNS spoofing or a man-in-the-middle (MitM) attack, the expert said.

Advertisement. Scroll to continue reading.

“While I don’t want to be too critical of HP because their response was prompt and speedy I do think that their security procedures are lacking if such software can be published by them,” Forbes noted. “That being said they do make it clear to users that they are downloading the entire Support Solutions Framework and explain the functionality it includes.”

The vulnerability was reported to HP on March 25 and it was addressed by the company on April 10.

In a security advisory published on Friday, HP noted that HP Support Solution Framework versions prior to 11.51.0049 for Windows are vulnerable to the types of attacks described by the researcher. The flaw, which according to the company can lead to remote code execution and information disclosure, has been assigned the CVE identifier CVE-2015-2114 and a CVSS score of 5.8, which puts it in the “medium severity” category. Users are advised to update the software by visiting support.hp.com and clicking on “Identify Now.”

This isn’t the first time Forbes finds such a vulnerability. Last month, the expert reported uncovering a similar, but more serious, issue in Dell’s System Detect application.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Vulnerabilities

Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...

Vulnerabilities

A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

Cybercrime

Patch Tuesday: Microsoft calls attention to a series of zero-day remote code execution attacks hitting its Office productivity suite.

Vulnerabilities

Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Vulnerabilities

The latest Chrome update brings patches for eight vulnerabilities, including seven reported by external researchers.