HPSBGN03632 rev. 1 - HP SoftPaq Installer Vulnerability

Potential Security Impact

Execution of Arbitrary Code, Escalation of Privilege.

Source: HP, HP Product Security Response Team (PSRT)

Reported by: Pierre-Alexandre Braeken; Eran Shimony

VULNERABILITY SUMMARY

A potential security vulnerability has been identified with a version of the HP Softpaq installer that can lead to arbitrary code execution.

RESOLUTION

HP is repackaging affected SoftPaqs (SP#####.exe) with a new installer (HP Software Wrapper).

• Software or drivers installed by the affected SoftPaqs do not need to be reinstalled – the problem is with the installer itself, not the installed software.

• HP recommends that customers delete affected SoftPaq executables (SP#####.exe) so that vulnerable installers cannot be exploited.

• Customers that maintain a local SoftPaq repository should replace affected SoftPaqs with updated versions.

Feature information on the new wrapper can be found in the HP Software Wrapper User Guide.

To identify the SoftPaq installer version:

1. Open the folder where SoftPaq files are stored or downloaded.

2. Right-click the SoftPaq executable file (SP#####.exe).

3. Select Properties.

4. Click the Details tab.

SoftPaqs with the affected installer can be identified by the following file attributes:

• Original filename: stub32i.exe

• File Version: 4.0.100.1189

• Icon:

SoftPaqs with the new installer can be identified by the following file attributes:

• Original filename: hpsoftpaqwrapper.exe

• File Version: 0.2.39.21874 or later

• Icon: