Millions of HP OMEN gaming PCs are exposed to attacks of high vulnerability that can allow threatening agents to cause denial of service or escalate privileges and disable security solutions.
The security error (detected as CVE-2021-3437) was detected in a driver used by the OMEN Gaming Hub software that is preinstalled on all HP OMEN desktops and laptops.
CVE-2021-3437 is due to HP's choice to use vulnerable code partially copied from WinRing0.sys, an open source driver, to create the HpPortIox64.sys driver that uses OMEN Gaming Hub software to read / write kernel memory, PCI configurations, IO ports and Model-Specific Registers (MSRs).
The full list of vulnerable devices is available here and includes OMEN and HP Pavilion gaming laptops, as well as HP ENVY, HP Pavilion and OMEN gaming desktops.
Millions of devices and users were affected
The OMEN Gaming Hub can be used to enhance the gaming experience through overclocking, optimizing system settings for various game profiles, adjusting lighting on gaming devices and accessories, and more.
Considering that the software can also be downloaded from the Microsoft Store and installed on any Windows 10 computer with peripherals sold under the HP OMEN brand, millions of computers worldwide are affected by this defect.
Once attackers gain SYSTEM privileges on targeted HP OMEN devices, they can easily disable security products, replace system components with malicious payloads, destroy the underlying operating system, or perform other malicious tasks of their choice.
The list of software products affected by this vulnerability includes:
- HP OMEN Gaming Hub before version 220.127.116.11
- HP OMEN Gaming Hub SDK package before 1.0.44
Security patches available from July
HP has released fixes for this high severity vulnerability via the Microsoft Store on July 27 and has published a security advisory earlier.
SentinelOne also shared its findings in today's report to warn users to update their software and defend their systems from attackers using CVE-2021-3437 exploits.
Source of information: bleepingcomputer.com