Tens of million PCs potentially impacted by a flaw in HP Touchpoint Analytics

SafeBreach experts discovered that the HP Touchpoint Analytics service is affected by a potentially serious vulnerability.

Security researchers at SafeBreach have discovered that the HP Touchpoint Analytics service is affected by a serious flaw tracked as CVE-2019-6333. The vulnerability received a CVSS score of 6.7 (medium severity).

The TouchPoint Analytics is a service that allows the vendor to anonymously collect diagnostic data about hardware performance, it comes pre-installed on most HP PCs.

The service is based on the open-source tool Open Hardware Monitor and it is executed as “NT AUTHORITY\SYSTEM.”

The experts noticed that when the service is started, it attempts to load three missing DLL files. An attacker with administrative privileges on the targeted system can create malicious DLLs with the names of the missing files and place them in the locations where they were expected to be to get executed when the HP service starts.

The experts pointed out that the Touchpoint Analytics service would have high-permission-level access to the PC hardware, this means that a flaw affecting the could be exploited to escalate privileges to SYSTEM and bypass security features.

“The Open Hardware Monitor library provides a signed kernel driver named “WinRing0,” which is extracted and installed during runtime.” reads the analysis published by the experts.

“As you can see, the service was trying to load three missing DLL files, which eventually were loaded from the c:\python27 directory – our PATH environment variable:

atiadlxx.dll
atiadlxy.dll
Nvapi64.dll“

The researchers also published a PoC code to show how to use the Open Hardware Monitor library to read and write to physical memory.

The flaw could impact tens of millions of computers running the HP Touchpoint Analytics or Open Hardware Monitor.

“A potential security vulnerability has been identified with certain versions of HP Touchpoint Analytics prior to version 4.1.4.2827.” reads the security advisory published by HP. “This vulnerability may allow a local attacker with administrative privileges to execute arbitrary code via an HP Touchpoint Analytics system service.”

The experts reported the flaw to HP in early July and it was addressed this month with the release of version 4.1.4.2827.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – Touchpoint Analytics, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.