HP patches severe OMEN driver privilege escalation vulnerability

The bug can be used to achieve kernel-mode permissions.
Written by Charlie Osborne, Contributing Writer

A high-impact vulnerability in OMEN Command Center driver software has been patched by HP.

On Tuesday, researchers from SentinelLabs published a technical deep-dive on the bug, tracked as CVE-2021-3437 and issued with a CVSS score of 7.8. 

SentinelLabs says the high-severity flaw impacts "millions of devices worldwide," including a wide variety of OMEN gaming laptops and desktops, as well as HP Pavilion and HP ENVY models.

Found by SentinelLabs researcher Kasif Dekel, CVE-2021-3437 is a privilege escalation vulnerability in the HP OMEN Command Center. The gaming hub can be used to adjust settings to a gamer's preference -- including fan speeds and overclocking -- as well as to monitor a PC and network's overall performance.

A driver developed by HP and used by the software, HpPortIox64.sys, is the source of the security issue. According to the researchers, code partially comes from WinRing0.sys, an OpenLibSys driver used to manage actions including read/write kernel memory. 

"The link between the two drivers can readily be seen as on some signed HP versions the metadata information shows the original filename and product name," SentinelLabs noted.

Privilege escalation bugs have been found in the WinRing0.sys driver in the past, including flaws that allow users to exploit the IOCTLs interface to perform high-level actions.

Several lines of code in the driver's IOCTL system call function "allow user mode applications with low privileges to read/write 1/2/4 bytes to or from an IO port," the team says, which could potentially be exploited to allow unprivileged users to conduct system-level actions.

"This high severity flaw, if exploited, could allow any user on the computer, even without privileges, to escalate privileges and run code in kernel mode," the researchers say. "Among the obvious abuses of such vulnerabilities are that they could be used to bypass security products. An attacker with access to an organization's network may also gain access to execute code on unpatched systems and use these vulnerabilities to gain local elevation of privileges. Attackers can then leverage other techniques to pivot to the broader network, like lateral movement."

HP OMEN Gaming Hub prior to version and the HP OMEN Gaming Hub SDK Package, prior to 1.0.44, are impacted. At the time of writing, there is no evidence that the bug has been exploited in the wild. 

SentinelLabs reported its findings on February 17, 2021. By May 14, HP sent a proposed fix to the researchers, but it was found that the patch was not sufficient. The tech giant's security team then changed its tactic and disabled the vulnerable feature to resolve the security flaw, delivered on June 7. A patched version of the software was made available on July 27 in the Microsoft Store.

"We would like to thank HP for their approach to our disclosure and for remediating the vulnerabilities quickly," the researchers commented. "We urge users of these products to ensure they take appropriate mitigating measures without delay."

HP has published a security advisory on CVE-2021-3437, describing the flaw as a privilege escalation and denial-of-service issue.

"We constantly monitor the security landscape and value work that helps us identify new potential threats," HP told ZDNet. "We have posted a security bulletin. The security of our customers is always a top priority and we urge all customers to keep their systems up to date."

Previous and related coverage

Have a tip? Get in touch securely via WhatsApp | Signal at +447713 025 499, or over at Keybase: charlie0

Editorial standards