The vulnerability allows a user to gain system privilege.
RESOLUTION
Version 8.8 was released on June 18, 2019, which will automatically update HP Support Assistant clients.
To manually update HP Support Assistant to the latest version, please follow the steps below:
Open HP Support Assistant from the start menu.
Click About in the top right.
Check the version listed for HP Support Assistant and ensure it is 8.8 or newer.
If this version or later is not installed, select Check for latest version to install it.
{"id": "HP:C06388027", "bulletinFamily": "software", "title": "HPSBGN03620 rev. 4 - HP Support Assistant Escalation of Privilege Vulnerability", "description": "## Potential Security Impact\nElevation of privilege and unauthorized modification of directories or files.\n\n**Source:** HP, HP Product Security Response Team (PSRT) \n\n**Reported by:** Philippe Laulheret (McAfee Advanced Threat Research), ManhNDd (Bkav Corporation) \n\n## VULNERABILITY SUMMARY\nThe vulnerability allows a user to gain system privilege.\n\n## RESOLUTION\nVersion 8.8 was released on June 18, 2019, which will automatically update HP Support Assistant clients.\n\nTo manually update HP Support Assistant to the latest version, please follow the steps below:\n\n 1. Open HP Support Assistant from the start menu.\n\n 2. Click About in the top right. \n\n 3. Check the version listed for HP Support Assistant and ensure it is 8.8 or newer.\n\n 4. If this version or later is not installed, select Check for latest version to install it. \n", "published": "2019-06-23T00:00:00", "modified": "2019-06-23T00:00:00", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "href": "https://support.hp.com/us-en/document/c06388027", "reporter": "HP, HP Product Security Response Team (PSRT)", "references": [], "cvelist": ["CVE-2019-6329", "CVE-2019-6328"], "type": "hp", "lastseen": "2020-10-13T01:02:14", "edition": 2, "viewCount": 0, "enchantments": {"dependencies": {"references": [{"type": "cve", "idList": ["CVE-2019-6329", "CVE-2019-6328"]}, {"type": "nessus", "idList": ["HP_SUPPORT_ASSISTANT_8_8.NASL"]}], "modified": "2020-10-13T01:02:14", "rev": 2}, "score": {"value": 5.6, "vector": "NONE", "modified": "2020-10-13T01:02:14", "rev": 2}, "vulnersScore": 5.6}, "affectedSoftware": [], "scheme": null}
{"cve": [{"lastseen": "2020-12-09T21:41:55", "description": "HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6329.", "edition": 7, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.0"}, "impactScore": 5.9}, "published": "2019-06-25T17:15:00", "title": "CVE-2019-6328", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6328"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:hp:support_assistant:8.7.50"], "id": "CVE-2019-6328", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6328", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:support_assistant:8.7.50:*:*:*:*:*:*:*"]}, {"lastseen": "2020-12-09T21:41:55", "description": "HP Support Assistant 8.7.50 and earlier allows a user to gain system privilege and allows unauthorized modification of directories or files. Note: A different vulnerability than CVE-2019-6328.", "edition": 8, "cvss3": {"exploitabilityScore": 1.8, "cvssV3": {"baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "attackComplexity": "LOW", "scope": "UNCHANGED", "attackVector": "LOCAL", "availabilityImpact": "HIGH", "integrityImpact": "HIGH", "baseScore": 7.8, "privilegesRequired": "LOW", "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H", "userInteraction": "NONE", "version": "3.1"}, "impactScore": 5.9}, "published": "2019-06-25T17:15:00", "title": "CVE-2019-6329", "type": "cve", "cwe": ["NVD-CWE-noinfo"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 3.9, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "COMPLETE", "availabilityImpact": "COMPLETE", "integrityImpact": "COMPLETE", "baseScore": 7.2, "vectorString": "AV:L/AC:L/Au:N/C:C/I:C/A:C", "version": "2.0", "accessVector": "LOCAL", "authentication": "NONE"}, "acInsufInfo": false, "impactScore": 10.0, "obtainUserPrivilege": false}, "cvelist": ["CVE-2019-6329"], "modified": "2020-08-24T17:37:00", "cpe": ["cpe:/a:hp:support_assistant:8.7.50"], "id": "CVE-2019-6329", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2019-6329", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}, "cpe23": ["cpe:2.3:a:hp:support_assistant:8.7.50:*:*:*:*:*:*:*"]}], "nessus": [{"lastseen": "2021-01-01T03:15:38", "description": "The version of HP Support Assistant installed on the remote Windows\nhost is prior to 8.8. It is, therefore, affected by two unspecified\nprivilege escalation vulnerabilities. An authenticated, local attacker\ncan exploit this, to gain system level access to the system.", "edition": 18, "cvss3": {"score": 7.8, "vector": "AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H"}, "published": "2019-07-19T00:00:00", "title": "HP Support Assistant < 8.8 Multiple Vulnerabilities", "type": "nessus", "bulletinFamily": "scanner", "cvelist": ["CVE-2019-6329", "CVE-2019-6328"], "modified": "2021-01-02T00:00:00", "cpe": ["cpe:/a:hp:support_assistant"], "id": "HP_SUPPORT_ASSISTANT_8_8.NASL", "href": "https://www.tenable.com/plugins/nessus/126826", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(126826);\n script_version(\"1.4\");\n script_cvs_date(\"Date: 2019/10/31 15:18:52\");\n\n script_cve_id(\"CVE-2019-6328\", \"CVE-2019-6329\");\n script_bugtraq_id(108891);\n script_xref(name:\"HP\", value:\"c06388027\");\n script_xref(name:\"HP\", value:\"HPSBGN03620\");\n script_xref(name:\"IAVB\", value:\"2019-B-0061\");\n\n script_name(english:\"HP Support Assistant < 8.8 Multiple Vulnerabilities\");\n script_summary(english:\"Checks the version of HP Support Assistant.\");\n\n script_set_attribute(attribute:\"synopsis\", value:\n\"An application installed on the remote Windows host is affected by\ntwo privilege escalation vulnerabilities.\");\n script_set_attribute(attribute:\"description\", value:\n\"The version of HP Support Assistant installed on the remote Windows\nhost is prior to 8.8. It is, therefore, affected by two unspecified\nprivilege escalation vulnerabilities. An authenticated, local attacker\ncan exploit this, to gain system level access to the system.\");\n # https://support.hp.com/ca-en/document/c06388027\n script_set_attribute(attribute:\"see_also\", value:\"http://www.nessus.org/u?0b41bcaa\");\n script_set_attribute(attribute:\"solution\", value:\n\"Upgrade to HP Support Assistant version 8.8 or later.\");\n script_set_cvss_base_vector(\"CVSS2#AV:L/AC:L/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:U/RL:OF/RC:C\");\n script_set_cvss3_base_vector(\"CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H\");\n script_set_cvss3_temporal_vector(\"CVSS:3.0/E:U/RL:O/RC:C\");\n script_set_attribute(attribute:\"cvss_score_source\", value:\"CVE-2019-6329\");\n\n script_set_attribute(attribute:\"exploitability_ease\", value:\"No known exploits are available\");\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2019/06/23\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2019/06/18\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2019/07/19\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/a:hp:support_assistant\");\n script_set_attribute(attribute:\"stig_severity\", value:\"II\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n script_family(english:\"Windows\");\n\n script_copyright(english:\"This script is Copyright (C) 2019 and is owned by Tenable, Inc. or an Affiliate thereof.\");\n\n script_dependencies(\"hp_support_assistant_installed.nbin\");\n script_require_keys(\"installed_sw/HP Support Assistant\");\n\n exit(0);\n}\n\ninclude('vcf.inc');\n\napp_info = vcf::get_app_info(app:'HP Support Assistant');\nconstraints = [{ 'fixed_version' : '8.8' }];\nvcf::check_version_and_report(app_info:app_info, constraints:constraints, severity:SECURITY_HOLE);\n", "cvss": {"score": 7.2, "vector": "AV:L/AC:L/Au:N/C:C/I:C/A:C"}}]}
