Threat Watch

HP Fixes Severe Bug in Pre-Installed Support Assistant Tool

HP has issued a security advisory informing users about a newly discovered vulnerability in HP Support Assistant. HP Support Assistant comes pre-installed on all HP laptops and desktop computers and is used to troubleshoot device issues and check for BIOS and driver updates.

The vulnerability, tracked as CVE-2022-38395, exists as a DLL hijacking flaw within the HP Support Assistant tool. DLL hijacking occurs when a malicious DLL is placed in the same folder as the vulnerable executable, exploiting Windows’ logic to use DLLs in the same directory as the application over those found in the System32 directory. When the program is executed, the malicious DLL is loaded alongside it using the same privileges as the running executable. In the case of HP Support Assistant, this means that the DLL is loaded with “SYSTEM” privileges, allowing a threat actor to escalate their privileges to the highest level when exploiting this vulnerability. This hijacking occurs when the HP Performance Tune-up utility is launched from within the main HP Support Assistant tool.

This vulnerability exists in HP Support Assistant versions prior to 9.11. HP has released a fix for the vulnerability in versions 9.11 and onwards.

ANALYST NOTES

It is highly recommended to update all HP devices that have the HP Support Assistant tool installed to the latest version. Due to the widespread usage of HP Support Assistant and the low complexity of exploitation, threat actors who establish an initial foothold on a device will be able to escalate to the highest privileges on the system with ease. Likewise, HP will not be releasing a fix for the older version 8.x branch, so it is also recommended to verify and update to the latest 9.x release for all of those devices. Finally, HP Support Assistant can be automatically upgraded when a new version is released by enabling Microsoft Store updates. It is highly recommended to enable this, so when new versions are released and any future vulnerabilities are patched, they are applied automatically on the device. This not only goes for HP Support Assistant but any other applications that utilize the Microsoft Store.

https://www.bleepingcomputer.com/news/security/hp-fixes-severe-bug-in-pre-installed-support-assistant-tool/

https://support.hp.com/us-en/document/ish_6788123-6788147-16/hpsbhf03809