According to researchers at SafeBreach, a company that focuses on feigning breaches and attacks, HP’s Touchpoint Analytics service is impacted by a possibly grave flaw.

HP Touchpoint Analytics is transported with many HP laptop and desktop computers running Windows. The service is intended to assemble nameless analytic information on hardware performance for which it uses an open source tool by the name of Open Hardware Monitor.

SafeBreach suggests that when HP Touchpoint Analytics is begun, it seeks to load three missing DLL files. A spiteful actor with administrative privileges on the beleaguered system can generate malicious DLLs with the names of the misplaced files and put them in sites where they would get performed when the HP service starts.

An attacker can use this for numerous purposes, including to escalate privileges to SYSTEM and sidestep security devices, such as application whitelisting and signature authentication. This is possible because of the fact that the malicious files would be run by a signed service.

The company also maintained that the Open Hardware Monitor library can be exploited to read and write to physical memory.

Tracked as CVE-2019-6333, the flaw can be extremely valuable to attackers as the impacted HP software is mounted on a slew of devices.

Open Hardware Monitor does not seem to be maintained anymore. The up-to-date version was issued on the official website in November 2016 and the last changes to the code hosted on GitHub were made in January 2018.

The susceptibility was stated to HP in early July and it was repaired this month with the issue of version 4.1.4.2827. In its own recommendation, HP defines it as a random code implementation vulnerability and assigns it a CVSS score of 6.7 (medium severity).

When the occurrence of Touchpoint Analytics was first exposed on HP devices in 2017, some people expressed worries about the data collected by the service and even labeled it as a piece of spyware. Nevertheless, HP elucidated at the time that the utility had been around since 2014, it only gathers hardware performance data, and the data is not sent to HP servers unless users opt in during arrangement.

Leave a Reply

Your email address will not be published. Required fields are marked *