A high-severity flaw in the HP OMEN driver was discovered recently. The flaw, which has been assigned the identifier, affects millions of gaming computers.
CVE-2021-3437 in HP OMEN Driver
The vulnerability can be abused to locally escalate to kernel-mode privileges, allowing attackers to disable security products, overwrite system components, corrupt the OS, or perform any malicious operations unimpeded, SentinelOne researchers pointed out. Following this discovery, HP has released a security update to its customers to fix the flaw. There is no evidence that the CVE-2021-3437 flaw has been abused in active attacks. Nonetheless, patching is still crucial.
What Is HP OMEN?
HP OMEN Gaming Hub is a software product preinstalled on HP OEN desktop computers and laptops. The software can control and optimize various settings including GPU, fan speeds, CPU overclocking, etc. It can also be used to set and adjust lighting on gaming machines, as well as mouse and keyboard.
The CVE-2021-3437 vulnerability stems from this software’s vulnerable code which has been partially copied from an open-source driver.
“Under the hood of HP OMEN Gaming Hub lies the HpPortIox64.sys driver, C:\Windows\System32\drivers\HpPortIox64.sys. This driver is developed by HP as part of OMEN, but it is actually a partial copy of another problematic driver, WinRing0.sys, developed by OpenLibSys,” SentinelOne revealed.
It appears that the WinRing0.sys driver has been known to contain issues. Vulnerabilities in the driver could allow local users including low integrity processes, to read and write to arbitrary memory locations.
As for the HpPortIox64.sys driver, its operations include read/write kernel memory, read/write PCI configurations, read/write IO ports, and MSRs. “Developers may find it convenient to expose a generic interface of privileged operations to user mode for stability reasons by keeping as much code as possible from the kernel-module. The IOCTL codes 0x9C4060CC, 0x9C4060D0, 0x9C4060D4, 0x9C40A0D8, 0x9C40A0DC and 0x9C40A0E0 allow user mode applications with low privileges to read/write 1/2/4 bytes to or from an IO port. This could be leveraged in several ways to ultimately run code with elevated privileges,” the report said.
It should also be mentioned that the vulnerability’s impact depends on the platform. It can be leveraged to attack device firmware or perform legacy PCI access by leveraging ports 0xCF8/0xCFC.
In terms of overall impact, we already mentioned that such vulnerabilities can be exploited to bypass security products. In addition, threat actors with access to an organization’s network could also gain access to execute code on exposed systems and use these flaws to gain local elevation of privileges.
To avoid any of this from happening, patching is mandatory.