[German]Security researchers from SentinelOne have now found a serious vulnerability in the HP OMEN Gaming Hub. The vulnerability in the HP OMEN gaming software driver allows attackers to gain system privileges. This allows system intrusions and malware injection for non-privileged users. However, Hewlett Packard has already provided an update to close the vulnerability in July 2021. Here is an overview of the issue.
Advertising
HP OMEN Gaming Hub
The OMEN Gaming Hub is a software product that comes pre-installed on all HP OMEN desktops and laptops and can be downloaded from the Microsoft Store to any Windows 10 computer that uses OMEN branded accessories. The software can be used to control and optimize settings like device GPU, fan speeds, CPU overclocking, memory and more. The problem, however, is that these packages often use kernel drivers to access the hardware. Vulnerabilities then have serious consequences.
A closer look at the drivers
During previous investigations of other HP products, security researchers found that the software of HP OMEN devices uses a pre-installed driver that contains vulnerabilities. These vulnerabilities allow attackers to enter kernel mode without administrator privileges. These vulnerabilities can very easily allow malicious actors to execute code in kernel mode because the transition to kernel mode is via an MSR (Minimum Security Requirement).
Severe vulnerability in Gaming Hub
When security researchers from SentinelLabs took a closer look, they came across a serious vulnerability that puts millions of HP OMEN-branded gaming devices at risk. Specifically, the two product versions affected are HP OMEN Gaming Hub (prior to version 11.6.3.0) and HP OMEN Gaming Hub SDK package (prior to version 1.0.44). After the discovery of a vulnerability in printers (see also Serious vulnerability in printer drivers from HP, Xerox and Samsung), this is already the second serious vulnerability in HP devices that researchers have uncovered this year.
Ways to exploit the vulnerability
An exploitable kernel driver vulnerability can give a non-privileged user SYSTEM privileges because the vulnerable driver is locally available to everyone. This serious vulnerability, if exploited, could allow any user on the computer, even without privileges, to escalate their privileges and execute code in kernel mode. One of the obvious abuses of such vulnerabilities is bypassing security software.
An attacker with access to an organization's network can also run code on unpatched systems and exploit these vulnerabilities to escalate local privileges. Attackers can then use other techniques to encroach on the broader network (such as lateral movement) and, for example, inject malware.
Advertising
The security researchers' findings were reported to HP on Feb. 17, 2021. Meanwhile, the vulnerability is listed as CVE-2021-3437 with a CVSS score of 7.8. At this point, there is no evidence of exploitation in the wild. Sentinel One has documented the details in a blog post.
A patch is available
The vulnerability and corresponding mitigations are described in HP Security Advisory HPSBGN03726, which has been available to users via the Microsoft Store since July 27, 2021. Both enterprise and consumer customers are advised to install the patch as soon as possible. HP's update can be found here.
