Skip to main content
banner image
venafi logo

Researcher Uncovers Certificate Security Flaw in HP Software Assistant Tool

Researcher Uncovers Certificate Security Flaw in HP Software Assistant Tool

security flat in HP software assistant tool
April 14, 2020 | Scott Carter

 

There’s never been a good time to be cavalier about certificate security. But with the speed of digital transformation comes the increased risk of inadvertent errors in the treatment of certificates—particularly in software. And security flaws that impact these machine identities, such as those recently uncovered in HP’s software assistant tool, prove why you can never let your guard down in managing your machine identities.



 


Valid Certificate Exploited

In an in-depth blog, researcher Bill Demirkapi outlined three different ways that cybercriminals could gain remote code execution against the HP Support Assistant. You may remember Demirkapi as the 18-year old boy wonder who uncovered vulnerabilities in education software made by Blackboard and Follett last year. This effort then propelled Demirkapi into a speaking slot at DEF CON last year.
 

First, I’m impressed by the depth of his work. But the one thing about his HP discovery that most interests me the most is Remote Code Execution Variant #3, which exploits a very liberal acceptance of security certificates by HP during the signature check.
 

Demirkapi outlines the vulnerable signature check as follows:


“The method takes in a file name and first verifies that it’s a valid certificate. This means a certificate ripped from a legitimate HP binary won’t work because it won’t match the binary. The concerning part is the check for if the certificate is an HP certificate.
 

To be considered an HP certificate, the subject of the certificate must contain in any case hewlett-packard, hewlett packard, or o=hp inc. This is a pretty inadequate check, especially that lower case conversion.”
 

A weak implementation such as this would create a heyday for cybercriminals. Essentially, it would allow them to avoid HP checking if the application has the correct signature so a malicious version of the application could be substituted. In this scenario, cybercriminals could create any number of bogus certificates that would pass this loosely defined certificate check. Given the number of machines that include preinstalled versions of HP software assistant tools, we’re talking about a virtual spoofapalooza.
 

As Demirkapi notes, “I could probably spend days making up company names. All an attacker needs to do is create an organization that contains any of those words and they can get a certificate for that company. Next thing you know, they can have a one click RCE for anyone that has the HP bloatware installed.”
 

How Can You Tell A Bogus Certificate?

The good news is that all of the remote code execution flaws have already been patched by HP. But the question remains, how would an organization know if a cybercriminal were using a bogus certificate to access critical infrastructure? I mean, most organizations struggle to maintain a complete inventory of the legitimate certificates on their networks. But they would need a whole lot deeper intelligence if they are going to locate all certificates in use in their network—including potentially malicious usage. A spreadsheet, or a Certificate Authority dashboard alone simply won’t provide that level of insight.
 

That, my friends, is why machine identity management is such a vital tool for even the largest, most security savvy organizations. With complete visibility and continual monitoring, these organizations will be able to drill down to the level of who owns a particular certificate and where it’s being used. It’s the most effective way of maintaining control over the ever-increasing numbers of machine identities that all organizations rely on for secure connections and communications.
 

How much do you know about your machine identities?



 

Related posts

 

 

Like this blog? We think you will love this.
microsoft-office-macro-ban-backtrack
Featured Blog

Microsoft Backs Off Internet Office Macro Ban [Update]

Microsoft disabled macro years ago by default

Read More
Subscribe to our Weekly Blog Updates!

Join thousands of other security professionals

Get top blogs delivered to your inbox every week

See Popular Tags

You might also like

TLS Machine Identity Management for Dummies
eBook

TLS Machine Identity Management for Dummies

Certificate-Related Outages Continue to Plague Organizations
White Paper

CIO Study: Certificate-Related Outages Continue to Plague Organizations

About the author

Scott Carter
Scott Carter

Scott is Senior Manager for Content Marketing at Venafi. With over 20 years in cybersecurity marketing, his expertise leads him to help large organizations understand the risk to machine identities and why they should protect them

Read Posts by Author
get-started-overlay close-overlay cross icon
get-started-overlay close-overlay cross icon
Venafi Risk assessment Form Image

Sign up for Venafi Cloud


Venafi Cloud manages and protects certificates



* Please fill in this field Please enter valid email address
* Please fill in this field Password must be
At least 8 characters long
At least one digit
At last one lowercase letter
At least one uppercase letter
At least one special character
(@%+^!#$?:,(){}[]~`-_)
* Please fill in this field
* Please fill in this field
* Please fill in this field
*

End User License Agreement needs to be viewed and accepted



Already have an account? Login Here

×
get-started-overlay close-overlay cross icon

How can we help you?

Thank you!

Venafi will reach out to you within 24 hours. If you need an immediate answer please use our chat to get a live person.

In the meantime, please explore more of our solutions

Explore Solutions

learn more

Email Us a Question

learn more

Chat With Us

learn more