Windows PCs Exposed to Attacks by Critical HP Support Assistant Bugs

Several critical HP Support Assistant vulnerabilities expose Windows computers to remote code execution attacks and could allow attackers to elevate their privileges or to delete arbitrary files following successful exploitation.

HP Support Assistant, marketed by HP as a "free self-help tool," is pre-installed on new HP desktops and notebooks, and it is designed to deliver automated support, updates, and fixes to HP PCs and printers.

"Improve the performance and reliability of your PCs and printers with automatic firmware and driver updates," HP says. "You can configure your options to install updates automatically or to notify you when updates are available."

HP computers sold after October 2012 and running Windows 7, Windows 8, or Windows 10 operating systems all come with HP Support Assistant installed by default.

Some critical flaws patched, others not so much

Security researcher Bill Demirkapi found ten different vulnerabilities within the HP Support Assistant software, including five local privilege escalation flaws, two arbitrary file deletion vulnerabilities, and three remote code execution vulnerabilities.

HP PSIRT partially patched the vulnerabilities in December 2019 after receiving an initial disclosure report from Demirkapi during October 2019.

Another patch was issued in March 2020 after the researcher sent an updated report in January to patch one of the flaws that was left untouched previously and to fix a newly introduced one.

Several Critical Vulnerabilities on most HP machines running Windows, https://t.co/0hrP6YXT74

— Bill Demirkapi (@BillDemirkapi) April 3, 2020

However, HP failed to patch three of the local privilege escalation vulnerabilities which means that even if you are using the latest HP Support Assistant version, you are still exposed to attacks. 

This type of vulnerability is commonly exploited by malicious actors during the later stages of their attacks to elevate permissions and establish persistence. This allows them to further compromise the targeted machines after the target machine was infiltrated.

"It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine," Demirkapi explained in his detailed technical description.

Mitigation measures

To fully mitigate all flaws Demirkapi found, you will need to uninstall the vulnerable software by removing both HP Support Assistant and HP Support Solutions Framework from your computer.

If you rely on them to keep your devices' software up to date, you should know that HP Support Assistant requires you to opt-in to have automatic updates enabled by default.

If you don't have automatic updates enabled or you don't want to toggle them on, you will have to manually update the app by checking for the latest version or install the latest release by downloading from HP's support website.

Full details including the discovery process and exploitation methods for each of the vulnerabilities Demirkapi discovered in HP Support Assistant are available within Demirkapi's extensive write-up.

Video demos of proof-of-concept exploits for one remote code execution variant and for a local privilege escalation flaw are embedded below.

Critical flaws in Dell bloatware

This is not the first time Demirkapi found critical vulnerabilities within software that comes pre-installed on major vendors' computers, including Lenovo and Dell.

For instance, he previously discovered a remote code execution flaw tracked as CVE-2019-3719 and impacting most Dell machines that come with the SupportAssist Client software installed by default.

Demirkapi also found a local privilege escalation vulnerability affecting Dell's SupportAssist Client which comes "preinstalled on most of all new Dell devices running Windows operating system."

SupportAssist "proactively checks the health of your system’s hardware and software," according to Dell and it will send "necessary system state information" to Dell for troubleshooting when issues are detected.

Comments are closed.