HPSBHF03642 rev. 2 - HP ThinPro Linux Information Disclosure and Privilege Escalation

Potential Security Impact

Information Disclosure, Privilege Escalation, and Arbitrary Code Execution

Source: HP, HP Product Security Response Team (PSRT)

Reported by: Eldar Marcussen - xen1thLabs - Software Labs (PSR-2019-0173, CVE-2019-16285, CVE-2019-16286, CVE-2019-16287, CVE-2019-18909, CVE-2019-18910) and Doug Ipperciel - NCC Group (PSR-2019-0184, CVE-2019-16286)

VULNERABILITY SUMMARY

Potential security vulnerabilities have been identified with certain versions of HP ThinPro components that may allow unauthorized information disclosure, privilege escalation, and arbitrary code execution.

RESOLUTION

HP has released security updates for all affected components and solutions are available through HP Easy Update, HP Thin Update, and HP Update Center within HP Device Manager. Individual updates for each vulnerability can be identified by the table below:

Reference

|

Available Patch Version

—|—

CVE-2019-16286

|

Firefox 60.9.0esr for ThinPro 6.2-7.1 version hp2a

CVE-2019-16285

CVE-2019-16287

CVE-2019-18909

|

HP ThinPro 7.1 Service Pack 4

Security Update 2019 Rollup 005 For ThinPro 7.0

Security Update 2019 Rollup 005 For ThinPro 6.2.1

Security Update 2019 Rollup 005 For ThinPro 6.2

CVE-2019-18910

|

Citrix Workspace app 19.6.0 hp2d for ThinPro 6.2, 6.2.1, 7.0 and 7.1