[German]HP Touchpoint Analytics software is pre-installed on most HP computers. A vulnerability allows attackers to gain administrator privileges. Here’s what you need to know about that incident.
HP TouchPoint Analytics is software preinstalled on most HP computers in the form of a Windows service that runs with NT AUTHORITY\SYSTEM” top-level permissions and is used to anonymously collect hardware performance diagnostic information. I had already blogged about issues with the HP Touchpoint Analytics software in 2017 (see my German blog post HP installiert heimlich HP Touchpoint Analytics Client-Telemetriedatenprogramm). There was a statement from HP at that time that telemetry data collection was not a problem.
Vulnerability in HP Touchpoint Analytics
Bleeping Computer reported here that a Local Privilege Escalation (LPE) vulnerability has been found in the software. The CVE-2019-6333vulnerability was found in the Open Hardware Monitor library used by HP’s monitoring software.
CVE-2019-6333 enables attackers to run malware by extending system-level permissions and avoiding anti-malware detection. To do this, it can bypass the application’s whitelisting. This whitelisting is often used to prevent the execution of unknown or potentially malicious applications.
The vulnerability was discovered by security researcher Peleg Hadar of SafeBreach Labs and reported to HP on 4 July. It affects all versions of the HP Touchpoint Analytics Client under 188.8.131.5227. The problem is the DLL search path that is frequently mentioned here in the blog, which enables DLL hijacking.
According to Hadar, the security problem is caused by the use of an uncontrolled search path for DLLs and it is not validated whether the loaded DLLs are signed with digital certificates. This allows malware to store and load its own DLL in the path. The DLL then contains the system rights of the loading service.
Such errors in the DLL search order are often exploited in the later phase of malicious attacks after the affected computers have already been infiltrated. This vulnerability makes it possible to increase permissions to gain persistence and further infiltrate a compromised system.
Security advisory and update available
HP has released a security advisory to determine if a device is vulnerable and is providing an update to the HP TouchPoint Analytic software via Windwos Update. The Security Advisories contain information on how to update the software. Personally, I would rather uninstall the software.