ID CVE-2019-6333 Type cve Reporter cve@mitre.org Modified 2020-08-24T17:37:00
Description
A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827. This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.
{"symantec": [{"lastseen": "2019-10-15T14:35:41", "bulletinFamily": "software", "cvelist": ["CVE-2019-6333"], "description": "### Description\n\nHP Touchpoint Analytics is prone to an unspecfied local code-execution vulnerability. A local attacker can leverage this issue to execute arbitrary code in the context of affected application. Failed attempts may lead to denial-of-service conditions. Versions prior to Touchpoint Analytics 4.1.4.2827 are vulnerable.\n\n### Technologies Affected\n\n * HP Touchpoint Analytics \n\n### Recommendations\n\n**Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.** \nEnsure that only trusted users have local, interactive access to affected computers.\n\n**Implement multiple redundant layers of security.** \nSince this issue may be leveraged to execute code, we recommend memory-protection schemes, such as non-executable stack/heap configurations and randomly mapped memory segments. This tactic may complicate exploits of memory-corruption vulnerabilities.\n\nUpdates are available. Please see the references or vendor advisory for more information.\n", "modified": "2019-10-04T00:00:00", "published": "2019-10-04T00:00:00", "id": "SMNTC-110405", "href": "https://www.symantec.com/content/symantec/english/en/security-center/vulnerabilities/writeup.html/110405", "type": "symantec", "title": "HP Touchpoint Analytics CVE-2019-6333 Unspecfied Local Code Execution Vulnerability", "cvss": {"score": 0.0, "vector": "NONE"}}], "hp": [{"lastseen": "2020-10-13T01:01:55", "bulletinFamily": "software", "cvelist": ["CVE-2019-6333"], "description": "## Potential Security Impact\nExecution of arbitrary code.\n\n**Source**: HP, HP Product Security Response Team (PSRT) \n\n**Reported by**: Peleg Hadar (SafeBreach Labs) \n\n## VULNERABILITY SUMMARY\nA potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827.\n\nThis vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.\n\n## RESOLUTION\nThe below options highlight how to detect if a device is affected by this vulnerability and for remediation actions.\n", "edition": 2, "modified": "2019-10-04T00:00:00", "published": "2019-10-04T00:00:00", "id": "HP:C06463166", "href": "https://support.hp.com/us-en/document/c06463166", "title": "HPSBGN03625 rev.1 - HP Touchpoint Analytics Execution of Arbitrary Code", "type": "hp", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}], "threatpost": [{"lastseen": "2020-09-15T22:21:04", "bulletinFamily": "info", "cvelist": ["CVE-2019-6333", "CVE-2020-4703", "CVE-2020-4711"], "description": "A security flaw, discovered in an open-source software program that is a key component of HP\u2019s TouchPoint Analytics service, is opening up a wide swath of HP computers to attack. The vulnerability, if exploited by local attackers with administrative privileges, can allow them to execute arbitrary code on victim systems.\n\nThe affected software, [Open Hardware Monitor](<https://openhardwaremonitor.org>), monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. It is utilized by tens of millions of computers and is a key third-party component of HP Touchpoint Analytics, said researchers with SafeBreach Labs, who discovered the flaw.\n\nHP TouchPoint Analytics is a service that anonymously collects diagnostic information about hardware performance. The service is pre-installed on most HP PCs, meaning the flaw has a wide attack surface, said researchers.\n\n\u201cA number of potential attacks could result from exploiting this vulnerability giving attackers the ability to load and execute malicious payloads using a signed service, effectively whitelisting those applications,\u201d said Peleg Hadar, security researcher with SafeBreach Labs in a [Thursday advisory](<https://safebreach.com/Events-Post/295/HP-Touchpoint-Analytics-DLL-Search-Order-Hijacking-Potential-Abuses-CVE-2019-6333>).\n\n[](<https://threatpost.com/newsletter-sign/>)\n\nThe vulnerability (CVE-2019-6333) has a CVSS score of 6.7 out of 10.0, which translates to medium severity. However researchers say that they view the flaw as critical. Under a post-infection scenario an adversary could use the flaw to surreptitiously carry out attacks.\n\n\u201cIt\u2019s important to keep perspective here, we\u2019re not claiming this is a critical issue from a measurement standpoint of view,\u201d Itzik Kotler, co-founder and CTO at SafeBreach, told Threatpost. \u201cWe\u2019re using the term loosely in a marketing context. [We\u2019re] aware this vulnerability and the existing condition required to exploit it are not trivial/end of the world.\u201d\n\n## The Vulnerability\n\nThe main attack vector is DLL hijacking, a way for attackers to execute unexpected code on machines.\n\nDLL (Dynamic Link Library) is a file that contains a library of functions, which can be accessed and uploaded to a program. DLL hijacking is launched if attackers can get a file on machines (by social engineering or local access). That file could be executed when the user runs an application that is vulnerable to DLL hijacking.\n\nIn this situation, Open Hardware Monitor does not properly check DLLs before loading them.\n\n\u201cIn order to leverage this vulnerability, the attacker needs to drop a file to a certain folder. In some cases the attacker won\u2019t need to be an Administrator and in some cases he will need admin privileges,\u201d Peleg told Threatpost.\n\nOnce Open Hardware Monitor is loaded, it launches a third-party library (OpenHardwareMonitorLib.dll). This library has the ability to collect data from different hardware sources. However, researchers found that the service loaded unmanaged DLL files without verifying if they are safe or not.\n\n\u201cThe library tried to load the mentioned unmanaged DLL files using DllImportAttribute,\u201d said researchers. \u201cThe problem is that it used only the filename of the DLL, instead of an absolute path\u2026 And no digital certificate validation is made against the binary. The program doesn\u2019t validate whether the DLL that it is loading is signed. Therefore, it can load an arbitrary unsigned DLL.\u201d\n\nThat could allow attackers to load arbitrary DLLs through Open Hardware Monitor and, because the service is pre-installed on HP Touchpoint Analytics, which has the highest level of persmissions on HP PCs (NT AUTHORITY\\SYSTEM), code can be executed onto the systems.\n\nOnce abused, the vulnerability could allow an attacker to launch an array of other malicious activities.\n\n\u201cThe capability for \u2018Application Whitelisting Bypass\u2019 and \u2018Signature Validation Bypassing\u2019 might be abused by an attacker for different purposes such as execution and evasion, to name two,\u201d researchers said. \u201cUsing Open Hardware Monitor\u2019s driver, which has the highest level of privileges in the operating system, an attacker can exploit this vulnerability and will be able to read and write to hardware memory.\u201d\n\nThe flaw was first reported to HP on July 4 and on Oct. 4, HP published a [security advisory](<https://support.hp.com/us-en/document/c06463166>) for the flaw. On Thursday, SafeBreach Labs researchers published public details of the vulnerability.\n\nHP did not respond to a request for comment from Threatpost.\n\n**_What are the top cyber security issues associated with privileged account access and credential governance? Experts from Thycotic will discuss during our upcoming free _**[**_Threatpost webinar_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_, \u201cHackers and Security Pros: Where They Agree & Disagree When It Comes to Your Privileged Access Security.\u201d _**[**_Click here to register_**](<https://register.gotowebinar.com/register/9029717654543174147?source=ART>)**_._**\n", "modified": "2019-10-10T13:00:12", "published": "2019-10-10T13:00:12", "id": "THREATPOST:330FBB8165B31F82A4C03594BB687EE1", "href": "https://threatpost.com/hp-touchpoint-analytics-opens-pcs-to-code-execution-attack/149069/", "type": "threatpost", "title": "HP Touchpoint Analytics Opens PCs to Code Execution Attack", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
