Privacy Ninja

Millions of HP OMEN Gaming PCs Impacted By Driver Vulnerability

Millions of HP OMEN Gaming PCs Impacted By Driver Vulnerability

Millions of HP OMEN laptop and desktop gaming computers are exposed to attacks by a high severity vulnerability that can let threat actors trigger denial of service states or escalate privileges and disable security solutions.

The security flaw (tracked as CVE-2021-3437) was found in a driver used by the OMEN Gaming Hub software that comes pre-installed on all HP OMEN desktops and laptops.

CVE-2021-3437 is caused by HP’s choice to use vulnerable code partially copied from WinRing0.sys, an open source driver, to build the HpPortIox64.sys driver the OMEN Gaming Hub software uses to read/write kernel memory, PCI configurations, IO ports, and Model-Specific Registers (MSRs).

Also Read: 10 Simple and Useful Tips On Agreement Drafting Services

The complete list of vulnerable devices is available here and it includes OMEN and HP Pavilion gaming laptops, as well as HP ENVY, HP Pavilion, and OMEN desktop gaming systems.

Millions of devices and users impacted

OMEN Gaming Hub can be used to boost one’s gaming experience through overclocking, optimizing system settings for various gaming profiles, adjusting lighting on gaming devices and accessories, and a lot more.

Considering that the software can also be downloaded from the Microsoft Store and installed on any Windows 10 computer with peripheral accessories sold under HP’s OMEN brand, millions of PCs worldwide are impacted by this flaw.

“An exploitable kernel driver vulnerability can lead an unprivileged user to SYSTEM, since the vulnerable driver is locally available to anyone,” as SentinelOne researchers explained in a report published today.

“This high severity flaw, if exploited, could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode.”

Once attackers gain SYSTEM privileges on targeted HP OMEN devices, they can easily disable security products, overwrite system components with malicious payloads, corrupt the underlying operating system, or perform any other malicious tasks they choose.

The list of software products impacted by this vulnerability includes:

  • HP OMEN Gaming Hub prior to version 11.6.3.0
  • HP OMEN Gaming Hub SDK Package prior to 1.0.44

Security patches available since July

HP has released patches for this high severity vulnerability through the Microsoft Store on July 27 and has published a security advisory earlier.

SentinelOne also shared their findings in today’s report to warn users to update their software and defend their systems against attackers using CVE-2021-3437 exploits.

“While we haven’t seen any indicators that these vulnerabilities have been exploited in the wild up till now, using any OMEN-branded PC with the vulnerable driver utilized by OMEN Gaming Hub makes the user potentially vulnerable,” SentinelOne warned.

“Therefore, we urge users of OMEN PC’s to ensure they take appropriate mitigating measures without delay.”

Today’s report follows another one published by SentinelOne last month regarding a 16-year-old security vulnerability found in an HP, Xerox, and Samsung printers driver, which allows attackers to gain admin rights on systems using the vulnerable software.

Also Read: Top 5 Impact of Data Loss on Business

Earlier this year, SentinelOne researchers also found a 12-year-old privilege escalation bug in Microsoft Defender Antivirus (formerly Windows Defender) that threat actors can exploit to gain admin rights on unpatched Windows systems.

Outsourced DPO – It is mandatory to appoint a Data Protection Officer. Engage us today.

PDPA Training (SkillsFuture Eligible) – Empower data protection knowledge for your employees.

Vulnerability Assessment Penetration Testing – Find loopholes in your websites, mobile apps or systems.

Privacy Ninja provides GUARANTEED quality and results for the following CORE SERVICES:

DPO-As-A-Service (Outsourced DPO Subscription)
Vulnerability Assessment & Penetration Testing (VAPT)
PDPA Obligations for Organizational Compliance (SkillsFuture Credit Eligible)

OTHER SERVICES:

PDPA Compliance Audit
Dig
ital Transformation Consultancy
Data Protection Trustmarks Certification Readiness Consultancy

PDPA Data Protection Software
Smart Contract Audit

LIKE & SUBSCRIBE:
Facebook
LinkedIn
Twitter
YouTube
Podcast

0 Comments

Leave a Reply

Your email address will not be published. Required fields are marked *

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Powered by WhatsApp Chat

× How can we help you?