Ten Vulnerabilities Discovered in HP Support Assistant
CVSS 3.0 Base Metrics calculated by HP
-
CVE-2019-18919: 7.3
-
CVE-2019-18920: 5.6
Sources
https://support.hp.com/us-en/document/c06609927
Risks
An attacker could exploit the vulnerabilities in multiple ways, including:
- Arbitrary file deletion
- Potential escalation of privilege
- Remote code execution
Description
The software is pre-installed on all HP machines sold after 2012 that run Windows 7, Windows 8(.1), or Windows 10 operating systems.
The majorities of these flaws were disclosed on October 5, 2019 on which HP acted and released a patch on December 19. However there were still unpatched vulnerabilities after this date and a second report to HP was filed on January 6, 2020.
The patch was eventually released on April 1 which should fix the privilege escalation and arbitrary file deletion vulnerabilities.
Although the users are still at risk for three local privilege escalation vulnerabilities. The researcher who disclosed the flaws says that they can only be exploited after an attacker gains access to your system, lowering the risk.
Possibilities to protect your machine
- Enable automatic updates for HP Support Assistant
- Update to the latest version, although there are still three local privilege escalation bugs
- Uninstall the software entirely until the next patch is released, if the risk is to high for your environment
A proof-of-concept exists for these vulnerabilities which can be found on this blog.
Recommended Actions
The HP Product Security Response Team released an advisory for these vulnerabilities.
CERT.be recommends applying the patch as soon as possible and enabling automatic updates by default to reduce the risk of exploitation.