Cybersecurity researchers on Tuesday disclosed details about a high-severity flaw in the HP OMEN driver software that impacts millions of gaming computers worldwide, leaving them open to an array of attacks.
Tracked as CVE-2021-3437 (CVSS score: 7.8), the vulnerabilities could allow threat actors to escalate privileges to kernel mode without requiring administrator permissions, allowing them to disable security products, overwrite system components, and even corrupt the operating system.
Cybersecurity firm SentinelOne, which discovered and reported the shortcoming to HP on February 17, said it found no evidence of in-the-wild exploitation. The computer hardware company has since released a security update to its customers to address these vulnerabilities.
The issues themselves are rooted in a component called OMEN Command Center that comes pre-installed on HP OMEN-branded laptops and desktops and can also be downloaded from the Microsoft Store. The software, in addition to monitoring the GPU, CPU, and RAM via a vitals dashboard, is designed to help fine-tune network traffic and overclock the gaming PC for faster computer performance.
"The problem is that HP OMEN Command Center includes a driver that, while ostensibly developed by HP, is actually a partial copy of another driver full of known vulnerabilities," SentinelOne researchers said in a report shared with The Hacker News.
"In the right circumstances, an attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."
The driver in question is HpPortIox64.sys, which derives its functionality from OpenLibSys-developed WinRing0.sys — a problematic driver that emerged as the source of a local privilege escalation bug in EVGA Precision X1 software (CVE-2020-14979, CVSS score: 7.8) last year.
"WinRing0 allows users to read and write to arbitrary physical memory, read and modify the model-specific registers (MSRs), and read/write to IO ports on the host," researchers from SpecterOps noted in August 2020. "These features are intended by the driver's developers. However, because a low-privileged user can make these requests, they present an opportunity for local privilege escalation."
The core issue stems from the fact that the driver accepts input/output control (IOCTL) calls without applying any kind of ACL enforcement, thus allowing bad actors unrestricted access to the aforementioned features, including capabilities to overwrite a binary that's loaded by a privileged process and ultimately run code with elevated privileges.
"To reduce the attack surface provided by device drivers with exposed IOCTLs handlers, developers should enforce strong ACLs on device objects, verify user input and not expose a generic interface to kernel mode operations," the researchers said.
Discover the untapped vulnerabilities in your API ecosystem and take proactive steps towards ironclad security. Join our insightful webinar!Join the Session
The findings mark the second time WinRing0.sys has come under the lens for causing security issues in HP products.
In October 2019, SafeBreach Labs revealed a critical vulnerability in HP Touchpoint Analytics software (CVE-2019-6333), which comes included with the driver, thus potentially allowing threat actors to leverage the component to read arbitrary kernel memory and effectively allowlist malicious payloads via a signature validation bypass.
Following the disclosure, enterprise firmware security company Eclypsium — as part of its "Screwed Drivers" initiative to compile a repository of insecure drivers and shed light on how they can be abused by attackers to gain control over Windows-based systems — dubbed WinRing0.sys a "wormhole driver by design."
The discovery is also the third in a series of security vulnerabilities affecting software drivers that have been uncovered by SentinelOne since the start of the year.
Earlier this May, the Mountain View-based company revealed details about multiple privilege escalation vulnerabilities in Dell's firmware update driver named "dbutil_2_3.sys" that went undisclosed for more than 12 years. Then in July, it also made public a high-severity buffer overflow flaw impacting "ssport.sys" and used in HP, Xerox, and Samsung printers that was found to have remained undetected since 2005.