A security flaw, discovered in an open-source software program that is a key component of HP’s TouchPoint Analytics service, is opening up a wide swath of HP computers to attack. The vulnerability, if exploited by local attackers with administrative privileges, can allow them to execute arbitrary code on victim systems. The affected software, Open Hardware Monitor, monitors temperature sensors, fan speeds, voltages, load and clock speeds of a computer. It is utilized by tens of millions of computers and is a key third-party component of HP Touchpoint Analytics, said researchers with SafeBreach Labs, who discovered the flaw. HP TouchPoint Analytics is a service that anonymously collects diagnostic information about hardware performance. The service is pre-installed on most HP PCs, meaning the flaw has a wide attack surface, said researchers. “A number of potential attacks could result from exploiting this vulnerability giving attackers the ability to load and execute malicious payloads using a signed service, effectively whitelisting those applications,” said Peleg Hadar, security researcher with SafeBreach Labs in a Thursday advisory. The vulnerability (CVE-2019-6333) has a CVSS score of 6.7 out of 10.0, which translates to medium severity. However researchers say that they view the flaw as critical. Under a post-infection scenario an adversary could use the flaw to surreptitiously carry out attacks. “It’s important to keep perspective here, we’re not claiming this is a…
https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png 0 0 govanguard https://govanguard.com/wp-content/uploads/2018/04/Header_Logo.png govanguard2019-10-10 09:00:002019-10-10 09:00:00HP Touchpoint Analytics Opens PCs to Code Execution Attack
Our Standard Office Hours
Monday – Friday: 8:00AM – 5:00PM EDT
Saturday – Sunday: Closed
Where to Find Us
Data Privacy Notice
- – All product names, logos, and brands are property of their respective owners.
- – The use of these names, logos, and brands is for identification purposes only and does not imply endorsement.
- – Content syndication and aggregation of public information is solely for the purpose of identifying information security trends, all syndicated content contains source links to the content creator website. All content is owned by it’s respective content creators.
- – If you are an owner of some content and want it to be removed, please email firstname.lastname@example.org