September 24, 2022
HP has issued a new version of its HP Support Assistant tool because of a high severity DLL hijacking vulnerability. HP has issued a new version of its HP Support Assistant tool. Users of HP Support Assistant versions earlier than 9.11 and Fusion versions earlier than 1.38.2601.0 are affected by a high severity vulnerability. According…

HP has issued a new version of its HP Support Assistant tool because of a high severity DLL hijacking vulnerability.

HP has issued a new version of its HP Support Assistant tool. Users of HP Support Assistant versions earlier than 9.11 and Fusion versions earlier than 1.38.2601.0 are affected by a high severity vulnerability. According to HP it is possible for an attacker to exploit a dynamic-link library (DLL) hijacking vulnerability and elevate privileges at launch of the HP Performance Tune-up.

The HP Support Assistant is a handy software utility provided by HP so that users can download and install necessary firmware and software, check performance-related metrics, and run some basic troubleshooting. The software comes pre-installed on all HP laptops and desktop computers.

HP Support Assistant uses HP Performance Tune-up as a diagnostic tool and launches it using Fusion. It is possible for an attacker to exploit the DLL hijacking vulnerability and elevate privileges when Fusion launches the HP Performance Tune-up.

The vulnerability was assigned a high severity rating with a CVSS v3.1 base score of 8.2 out of 10. The vulnerability is listed as CVE-2022-38395.

DLL hijacking

All Windows systems use a common method to search for the DLLs an application needs to load. The first two locations it will look for DLLs in an environment that uses the SafeDllSearchMode are:

  • The directory the application was loaded from
  • The system directory

DLL hijacking relies on the application loading the first DLL it finds that matches what it’s looking for. Attackers create a malicious library with the same name as a DLL required by the application and then put it in a directory that is searched before the one containing its namesake. If this is successful the attacker can run their malicious DLL code with the same privileges as the main process. To hide their tracks attackers may also load the legitimate DLL from their malicious code, so that the application continues to behave normally.

Since the HP Support Assistant runs with SYSTEM privileges this could be very beneficial to an attacker. SYSTEM privileges are slightly different from, but at roughly the same level as, Administrator permissions, especially when it comes to the file system.

Mitigation

HP recommends that customers update to the latest version of HP Support by turning on automatic updates in the HP Support Assistant settings. Alternately, customers can also get the latest version from the HP Support Assistance page.

Those using the older version 8.x won’t receive a security update, so they are advised to move to the newer branch. To do that, open the software, go to the About section, and click Check for updates.

Another option is to remove the HP Support Assistant software completely. You can always download the latest version if and when you need it.

Source