Bugs in HP Support Assistant could lead to remote code execution attacks

News by Rene Millman

Flaws in HP’s support assistant software could allow hackers run remote code execution attacks on Windows PCs

Security researchers have discovered several flaws in HP’s Support Assistant software that could lead to hackers running remote code execution attacks on Windows PCs, elevating privileges and deleting files after a successful attack.

In a detailed report on Github, security researcher Bill Demirkapi listed ten vulnerabilities in the software used by HP to provide updates and troubleshooting tools. The bugs include five local privilege escalation flaws, two arbitrary file deletion vulnerabilities, and three remote code execution vulnerabilities.

Affected HP computers were sold after October 2012 and run Windows 7, Windows 8, or Windows 10 operating systems. HP Support Assistant is installed by default.

Some of the flaws were patched in December last year following a disclosure by the researcher to HP in October 2019. However, three local privilege escalation vulnerabilities were left unpatched.

"It is important to note that because HP has not patched three local privilege escalation vulnerabilities, even if you have the latest version of the software, you are still vulnerable unless you completely remove the agent from your machine," Demirkapi wrote.

Stephen Hurren, senior consultant at Bulletproof, told SC Media UK that patching is how to ensure systems and the software which runs on it, is safe from malicious attack. However, in this instance, patching alone does not mitigate the vulnerability.

“This is why it is critically important organisations have an awareness and understanding of reported vulnerabilities and how to take action. Indeed, another familiar mantra uttered by security professionals is to remove unused software. If you don’t use it, lose it. This way you are reducing the surface of attack,” he said.

“In addition to this, all software and hardware being produced should have a secure-by-design and secure-by-default approach. Automatic updating should be on by default, which appears not to be so in this instance. Continue running HP Support Assistant, removing it, patching it etc. is a business risk decision and it should be entered on the risk register. If applicable, a risk assessment must be performed and any residual risk after mitigation must be manged accordingly.”

Keith Geraghty, solutions architect at edgescan, told SC Media UK that when discussing for "HP Support Assist" specifically, he thought that there is a need to look at "do we need it" in our environment.

In my opinion, Support Assist has an issue that a lot of similar applications have, which is 'getting in the users face'. Constant reminders, updates not enabled by default and heavy resource load have been what many users describe on the forums as being their reason to disable or remove the software as the first step when building their new machine, he said.

"So, even at the set-up stage, we can already see an element of trust being broken between end-user and vendor. Even though removing the agent is a recommended mitigation, I think the vendor needs to go back to the drawing board and re-work the software. At the very least, make updates seamless, silent and easy to manage for organisations.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews