MNDT-2022-0030
Description
HP Support Assistant is vulnerable to multiple security weaknesses prior to version 9.11 including privilege escalation, compromise of integrity, allowed communication with untrusted clients, and unauthorized modification of files.
Impact
High - Exploiting these vulnerabilies will give a local unprivileged attacker SYSTEM level privileges.
Exploitability
Medium - Any local user with an understanding of the HP Support Assistant API can exploit these vulnerabilities and producing an exploit is trivial.
CVE References
- CVE-2020-6917 (Base Score - 7.8 AV:L/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:N)
- CVE-2020-6918 (Base Score - 7.8 AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
- CVE-2020-6919 (Base Score - 7.8 AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
- CVE-2020-6920 (Base Score - 5.0 AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:N/A:N)
- CVE-2020-6921 (Base Score - 7.8 AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
- CVE-2020-6922 (Base Score - 7.8 AV:L/AC:H/PR:H/UI:R/S:C/C:H/I:H/A:N)
Technical Details
Mandiant determined that the UncompressCabFile(..) function exposed by the HP Support Framework API uncompressed a trusted CAB or ZIP file; however, due to a race condition in the digital certificate checking function (CVE-2020-6917) as well as a directory traversal vulnerability during unzipping (CVE-2020-6921), Mandiant was able achieve arbitrary file creation as the user NT AUTHORITY\SYSTEM. This, when combined with a DLL-sideloading vulnerability within the HP Support Assistant binary, resulted in local code execution as the user NT AUTHORITY\SYSTEM from an unprivileged and trusted context.
Resolution
Theses issues were fixed in HP Support Assistant version 9.11. Update to this version to address these vulnerabilities.
Discovery Credits
- Jake Valletta, Mandiant
- Roderic Deichler, Mandiant
Disclosure Timeline
- 26-May-2020 - Issue reported to HP.
- 26-May-2020 - HP responds to initial report requesting additional information.
- 20-Sep-2020 - HP requests Mandiant to test incremental fixes.
- 07-Apr-2021 - HP indicates disclosure will be published at end of month.
- 08-May-2021 - HP indicates that they're still working on a fix.
- 03-Mar-2022 - Patched version released along with security advisory.