The problems are caused by OMEN Command Center, a component that comes pre-installed on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store.
On Tuesday, security experts revealed data about a high-severity issue in the HP OMEN driver software, which affects millions of gaming laptops around the world and leaves them vulnerable to a variety of assaults.
Threat actors may be able to escalate privileges to kernel mode without having administrator access, allowing them to disable security products, overwrite system components, and even destroy the operating system.
SentinelOne, a cybersecurity firm that discovered and reported the flaw to HP on February 17, said it found no evidence of in-the-wild exploit. Customers have since received a security update from the computer hardware company that addresses these flaws.
The problems are caused by OMEN Command Center, a component that comes pre-installed on HP OMEN laptops and desktops and can also be downloaded from the Microsoft Store. The software is supposed to help fine-tune network traffic and overclock the gaming PC for quicker computer performance, in addition to monitoring the GPU, CPU, and RAM via a vitals dashboard.
According to SentinelOne researchers, “the problem is that HP OMEN Command Center includes a driver that, while allegedly built by HP, is actually a partial duplicate of another driver full of known vulnerabilities,” according to a study shared with The Hacker News.
“An attacker with access to an organization’s network may be able to execute code on unpatched systems and utilise these vulnerabilities to acquire local elevation of privileges in the correct circumstances. Attackers can then use additional strategies, such as lateral movement, to pivot to the larger network.”
HpPortIox64.sys is the driver in question, and it gets its functionality from OpenLibSys’ WinRing0.sys, which was the source of a local privilege escalation bug in EVGA Precision X1 software last year.
Researchers from SpecterOps stated in August 2020 that “WinRing0 allows users to read and write to arbitrary physical memory, read and alter the model-specific registers (MSRs), and read/write to IO ports on the host.” “The driver’s creators intended for these features to be present. These requests, however, give a potential for local privilege escalation because they can be made by a low-privileged user.”
The core problem is that the driver accepts input/output control (IOCTL) calls without applying any kind of access control (ACL) enforcement, giving bad actors unrestricted access to the aforementioned features, including the ability to overwrite a binary loaded by a privileged process and thus run code with elevated privileges.
“Developers should impose strong ACLs on device objects, check user input, and not expose a generic interface to kernel mode operations to decrease the attack surface afforded by device drivers with accessible IOCTLs handlers,” the researchers added.