Millions of HP OMEN gaming PCs impacted by CVE-2021-3437 driver flaw

A high severity vulnerability, tracked as CVE-2021-3437, in HP OMEN laptop and desktop gaming computers exposes millions of systems to DoS and privilege escalation attacks.

Millions of HP OMEN laptop and desktop gaming computers are exposed to multiple attacks by a high severity vulnerability tracked as CVE-2021-3437 that was discovered by SentinelLabs researchers.

“Potential security vulnerabilities have been identified in an OMEN Gaming Hub SDK package which may allow escalation of privilege and/or denial of service. HP is releasing software updates to mitigate the potential vulnerabilities.” reads the security advisory published by HP.

An attacker could exploit the vulnerability to trigger a denial of service (DoS) condition, escalate privileges, and disable security solutions, the issue received a CVSS Score of 7.8.

Millions of HP OMEN laptop and desktop gaming computers are exposed to attacks by a high severity vulnerability that can let threat actors to trigger a denial of service states or escalate privileges and disable security solutions.

“An exploitable kernel driver vulnerability can lead an unprivileged user to SYSTEM since the vulnerable driver is locally available to anyone.” reads the analysis published by SentinelLabs.”This high severity flaw, if exploited, could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode. Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products.”

A threat actor could trigger the flaw to gain SYSTEM privileges on targeted HP OMEN devices, then disable security products and perform other malicious activities, such as compromising the underlying operating system.

The flaw impacts a driver used by the OMEN Gaming Hub software that is pre-installed on HP OMEN systems, which allows to control and optimize settings, including device GPU, fan speeds, CPU overclocking, and memory.

The vulnerability stems from the reusing of flawed code from WinRing0.sys developed by OpenLibSys.

WinRing0.sys is a Windows driver that allows computers to communicate with hardware or connected devices, for this reason, it has direct access to the internals of the operating system, hardware, etc. 

HP used the vulnerable code in the HpPortIox64.sys driver of the OMEN Gaming Hub software that allows to read/write kernel memory, PCI configurations, IO ports, and Model-Specific Registers (MSRs).

“This driver enables user-mode applications to perform various privileged kernel-mode operations via IOCTLs interface.” continues the analysis. “Developers may find it convenient to expose a generic interface of privileged operations to user mode for stability reasons by keeping as much code as possible from the kernel-module. The IOCTL codes 0x9C4060CC, 0x9C4060D0, 0x9C4060D4, 0x9C40A0D8, 0x9C40A0DC and 0x9C40A0E0 allow user mode applications with low privileges to read/write 1/2/4 bytes to or from an IO port. This could be leveraged in several ways to ultimately run code with elevated privileges in a manner we have previously described here.”

Researchers developed a sample driver to demonstrate the attack without pursuing an actual exploit, trying to restart the machine running it will result in an ‘Operating System not found’ error message because the PoC code destroyed the first sector of the disk (the MBR).

“It’s worth mentioning that the impact of this vulnerability is platform dependent. It can potentially be used to attack device firmware or perform legacy PCI access by accessing ports 0xCF8/0xCFC. Some laptops may have embedded controllers which are reachable via IO port access.” continues the analysis.

The vulnerability impacts multiple products, including, HP OMEN Gaming Hub prior to version 11.6.3.0 and HP OMEN Gaming Hub SDK Package prior to 1.0.44

HP has released security patches to fix the CVE-2021-3437 vulnerability through the Microsoft Store on July 27.

In July, researchers from SentinelOne discovered a 16-year-old security vulnerability in an HP, Xerox, and Samsung printers driver that can allow attackers to gain admin rights on systems running the flawed driver. The discovery was casually made several months ago, while experts were configuring a brand new HP printer, and noticed that an old printer driver from 2005 called SSPORT.SYS was triggering an alert by Process Hacker.

“This led to the discovery of a high severity vulnerability in HP, Xerox, and Samsung printer driver software that has remained undisclosed for 16 years. This vulnerability affects a very long list of over 380 different HP and Samsung printer models as well as at least a dozen different Xerox products.” reads the analysis published by SentinelOne.

The vulnerability, tracked as CVE-2021-3438, is a buffer overflow that resides in the SSPORT.SYS driver which is used by some printer models.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, HP OMEN)

[adrotate banner=”5″]

[adrotate banner=”13″]