Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Vulnerabilities

HP Support Framework Bug Allows Arbitrary File Downloads, Data Harvesting

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.

The flaw, which can be exploited with minimal user interaction, was uncovered last month by security researcher Tom Forbes, who noticed that the authentication mechanism used by the HP product detection software can be easily bypassed, allowing a malicious actor to carry out various actions.

HP’s support website allows users to identify their products and find the appropriate drivers and updates via the HP Support Solution Framework. This piece of software is capable of collecting system information, reading files and registry keys, obtaining information on installed devices and drivers, and initiating file downloads via the HP Download and Install Assistant.

The problem, according to Forbes, is that the software authenticates valid requests only by checking if they originate from a hostname ending in “hp.com.” The expert has noted that an attacker could simply register a domain such as “nothp.com” and his malicious requests would be accepted.

An attacker can exploit this bug to trigger arbitrary file downloads through the HP Download and Install Assistant. The downloaded software cannot be executed without the user pressing the “Install” button, but since the attacker can modify the name of the file that is being downloaded, it’s likely that at least inexperienced users would take the bait.

“If an inexperienced user were to visit a malicious page that looked like a real HP site telling them to update their software and the HP download manager pops up I think many might press install, which would execute the attacker’s malware and compromise their machines. For some advanced malware merely being downloaded could be enough,” Forbes explained in a blog post.

An attacker can also exploit the HP Support Solution Framework vulnerability to harvest user information, such as files, registry keys and system data. The researcher has pointed out that while this attack could be more dangerous, it’s more complex and targeted.

For this attack to work, a malicious actor would have to find a way to get the application to connect to their server instead of HP’s server. This can be achieved through a DNS spoofing or a man-in-the-middle (MitM) attack, the expert said.

Advertisement. Scroll to continue reading.

“While I don’t want to be too critical of HP because their response was prompt and speedy I do think that their security procedures are lacking if such software can be published by them,” Forbes noted. “That being said they do make it clear to users that they are downloading the entire Support Solutions Framework and explain the functionality it includes.”

The vulnerability was reported to HP on March 25 and it was addressed by the company on April 10.

In a security advisory published on Friday, HP noted that HP Support Solution Framework versions prior to 11.51.0049 for Windows are vulnerable to the types of attacks described by the researcher. The flaw, which according to the company can lead to remote code execution and information disclosure, has been assigned the CVE identifier CVE-2015-2114 and a CVSS score of 5.8, which puts it in the “medium severity” category. Users are advised to update the software by visiting support.hp.com and clicking on “Identify Now.”

This isn’t the first time Forbes finds such a vulnerability. Last month, the expert reported uncovering a similar, but more serious, issue in Dell’s System Detect application.

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Discover strategies for vendor selection, integration to minimize redundancies, and maximizing ROI from your cybersecurity investments. Gain actionable insights to ensure your stack is ready for tomorrow’s challenges.

Register

Dive into critical topics such as incident response, threat intelligence, and attack surface management. Learn how to align cyber resilience plans with business objectives to reduce potential impacts and secure your organization in an ever-evolving threat landscape.

Register

People on the Move

The US arm of networking giant TP-Link has appointed Adam Robertson as Director of Information and Security.

Raj Dodhiawala has been named Chief Product Officer at Eclypsium.

Cyber exposure management firm Armis has promoted Alex Mosher to President.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.