Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Support Framework Bug Allows Arbitrary File Downloads, Data Harvesting

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

The flaw, which can be exploited with minimal user interaction, was uncovered last month by security researcher Tom Forbes, who noticed that the authentication mechanism used by the HP product detection software can be easily bypassed, allowing a malicious actor to carry out various actions.

HP’s support website allows users to identify their products and find the appropriate drivers and updates via the HP Support Solution Framework. This piece of software is capable of collecting system information, reading files and registry keys, obtaining information on installed devices and drivers, and initiating file downloads via the HP Download and Install Assistant.

The problem, according to Forbes, is that the software authenticates valid requests only by checking if they originate from a hostname ending in “hp.com.” The expert has noted that an attacker could simply register a domain such as “nothp.com” and his malicious requests would be accepted.

An attacker can exploit this bug to trigger arbitrary file downloads through the HP Download and Install Assistant. The downloaded software cannot be executed without the user pressing the “Install” button, but since the attacker can modify the name of the file that is being downloaded, it’s likely that at least inexperienced users would take the bait.

“If an inexperienced user were to visit a malicious page that looked like a real HP site telling them to update their software and the HP download manager pops up I think many might press install, which would execute the attacker’s malware and compromise their machines. For some advanced malware merely being downloaded could be enough,” Forbes explained in a blog post.

An attacker can also exploit the HP Support Solution Framework vulnerability to harvest user information, such as files, registry keys and system data. The researcher has pointed out that while this attack could be more dangerous, it’s more complex and targeted.

For this attack to work, a malicious actor would have to find a way to get the application to connect to their server instead of HP’s server. This can be achieved through a DNS spoofing or a man-in-the-middle (MitM) attack, the expert said.

“While I don’t want to be too critical of HP because their response was prompt and speedy I do think that their security procedures are lacking if such software can be published by them,” Forbes noted. “That being said they do make it clear to users that they are downloading the entire Support Solutions Framework and explain the functionality it includes.”

The vulnerability was reported to HP on March 25 and it was addressed by the company on April 10.

In a security advisory published on Friday, HP noted that HP Support Solution Framework versions prior to 11.51.0049 for Windows are vulnerable to the types of attacks described by the researcher. The flaw, which according to the company can lead to remote code execution and information disclosure, has been assigned the CVE identifier CVE-2015-2114 and a CVSS score of 5.8, which puts it in the “medium severity” category. Users are advised to update the software by visiting support.hp.com and clicking on “Identify Now.”

This isn’t the first time Forbes finds such a vulnerability. Last month, the expert reported uncovering a similar, but more serious, issue in Dell’s System Detect application.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content

Mobile & Wireless

Technical details published for an Arm Mali GPU flaw leading to arbitrary kernel code execution and root on Pixel 6.

Mobile & Wireless

Apple rolled out iOS 16.3 and macOS Ventura 13.2 to cover serious security vulnerabilities.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.

Mobile & Wireless

Apple’s iOS 12.5.7 update patches CVE-2022-42856, an actively exploited vulnerability, in old iPhones and iPads.

Vulnerabilities

Security researchers have observed an uptick in attacks targeting CVE-2021-35394, an RCE vulnerability in Realtek Jungle SDK.

Mobile & Wireless

Two vulnerabilities in Samsung’s Galaxy Store that could be exploited to install applications or execute JavaScript code by launching a web page.

Vulnerabilities

Several vulnerabilities have been patched in OpenText’s enterprise content management (ECM) product.

Vulnerabilities

Google has awarded more than $25,000 to the researchers who reported the vulnerabilities patched with the release of the latest Chrome update.