On Tuesday, security experts revealed data about a high-severity weakness in the HP OMEN driver software, which affects millions of gaming laptops worldwide and leaves them vulnerable to various cyberattacks.
The vulnerability is tracked as CVE-2021-3437 with a CVSS score: 7.8. Threat actors may escalate privileges to kernel mode without having administrator rights, enabling them to deactivate security products, overwrite system components, and even damage the operating system.
The complete list of vulnerable devices includes HP ENVY, HP Pavilion, OMEN desktop gaming systems, and OMEN and HP Pavilion gaming laptops.
SentinelOne, a cybersecurity firm that identified and communicated the flaw to HP on February 17, claimed it discovered no trace of in-the-wild exploitation. Customers have subsequently received a security update from the company to address the flaw.
The problems are caused by OMEN Command Center, a pre-installed component on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The program is meant to assist smooth network activity, overclock the gaming PC for quicker computer performance, and monitor the GPU, CPU, and RAM through a vitals dashboard.
Souce of flaw
According to research shared with The Hacker News by SentinelOne, “The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities.”
“In the right circumstances, an attacker with access to an organization’s network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement.”
HpPortIox64.sys is the driver in issue, and it gets its functionality from OpenLibSys-developed-WinRing0.sys, which was the origin of a local privilege escalation flaw in EVGA Precision X1 software last year (CVE-2020-14979, CVSS score: 7.8).
In August 2020, researchers from SpecterOps highlighted, “WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host. These features are intended by the driver’s developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation.”
This is the second time WinRing0.sys has been identified as a source of security vulnerabilities in HP products.
In October 2019, SafeBreach Labs discovered a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which is included with the driver, possibly enabling malicious actors to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass.
The discovery is the third in a series of security flaws affecting software drivers that SentinelOne has discovered since the beginning of the year.
Earlier this year, they found a 12-year-old privilege escalation problem in Microsoft Defender Antivirus (previously Windows Defender) that hackers could exploit to acquire admin access on unpatched Windows computers.
And last month, SentinelOne reported on a 16-year-old security flaw discovered in an HP, Xerox, and Samsung printer driver that allows attackers to obtain administrative access to computers running the vulnerable software.