HP has patched a vulnerability in the HP Support Solution Framework that can be exploited by a remote attacker to deliver arbitrary files and steal information from users’ systems.
The flaw, which can be exploited with minimal user interaction, was uncovered last month by security researcher Tom Forbes, who noticed that the authentication mechanism used by the HP product detection software can be easily bypassed, allowing a malicious actor to carry out various actions.
HP’s support website allows users to identify their products and find the appropriate drivers and updates via the HP Support Solution Framework. This piece of software is capable of collecting system information, reading files and registry keys, obtaining information on installed devices and drivers, and initiating file downloads via the HP Download and Install Assistant.
The problem, according to Forbes, is that the software authenticates valid requests only by checking if they originate from a hostname ending in “hp.com.” The expert has noted that an attacker could simply register a domain such as “nothp.com” and his malicious requests would be accepted.
An attacker can exploit this bug to trigger arbitrary file downloads through the HP Download and Install Assistant. The downloaded software cannot be executed without the user pressing the “Install” button, but since the attacker can modify the name of the file that is being downloaded, it’s likely that at least inexperienced users would take the bait.
“If an inexperienced user were to visit a malicious page that looked like a real HP site telling them to update their software and the HP download manager pops up I think many might press install, which would execute the attacker’s malware and compromise their machines. For some advanced malware merely being downloaded could be enough,” Forbes explained in a blog post.
An attacker can also exploit the HP Support Solution Framework vulnerability to harvest user information, such as files, registry keys and system data. The researcher has pointed out that while this attack could be more dangerous, it’s more complex and targeted.
For this attack to work, a malicious actor would have to find a way to get the application to connect to their server instead of HP’s server. This can be achieved through a DNS spoofing or a man-in-the-middle (MitM) attack, the expert said.
“While I don’t want to be too critical of HP because their response was prompt and speedy I do think that their security procedures are lacking if such software can be published by them,” Forbes noted. “That being said they do make it clear to users that they are downloading the entire Support Solutions Framework and explain the functionality it includes.”
The vulnerability was reported to HP on March 25 and it was addressed by the company on April 10.
In a security advisory published on Friday, HP noted that HP Support Solution Framework versions prior to 11.51.0049 for Windows are vulnerable to the types of attacks described by the researcher. The flaw, which according to the company can lead to remote code execution and information disclosure, has been assigned the CVE identifier CVE-2015-2114 and a CVSS score of 5.8, which puts it in the “medium severity” category. Users are advised to update the software by visiting support.hp.com and clicking on “Identify Now.”
This isn’t the first time Forbes finds such a vulnerability. Last month, the expert reported uncovering a similar, but more serious, issue in Dell’s System Detect application.