A HP envy laptop with the HP logo over it

HP issued a security advisory alerting users about a newly discovered vulnerability in HP Support Assistant, a software tool that comes pre-installed on all HP laptops and desktop computers, including the Omen sub-brand.

HP Support Assistant is used to troubleshoot issues, perform hardware diagnostic tests, dive deeper into technical specifications, and even check for BIOS and driver updates on HP devices.

The flaw, discovered by researchers at Secure D and reported to HP, is tracked as CVE-2022-38395 and has a "high" severity score of 8.2, as it enables attackers to elevate their privileges on vulnerable systems.

CVSS scope analysis for CVE-2022-38395
CVSS scope analysis for CVE-2022-38395 (First.org)

While the computer maker hasn't provided many details about the security issue, the advisory mentions that it's a DLL hijacking flaw triggered when users attempt to launch HP Performance Tune-up from within HP Support Assistant.

DLL hijacking happens when a malicious actor places a DLL containing malicious code in the same folder as the abused executable, exploiting Windows' logic to prioritize those libraries against DLLs in the System32 directory.

The subsystem that can trigger the DLL hijacking flaw
The subsystem that can trigger the DLL hijacking attack

The code that executes by loading the library assumes the privileges of the abused executable, in this case, HP Support Assistant running with 'SYSTEM' privileges.

Hence, CVE-2022-38395 can be exploited by attackers who have already established their presence on a system via low-privileged malware or a RAT tool.

Still, due to the large number of devices with HP Support Assistant installed and the low complexity of exploitation, it is recommended that all HP users upgrade Support Assistant as soon as possible.

HP recommends that customers using version 9.x to update to the latest version of the Support Assistant via the Microsoft Store.

Those using the older version 8.x won't receive a security update, so they are advised to move to the newer branch. To do that, open the software, go to the "About" section, and click "check for updates."

This is not the first time HP's pre-installed self-help tools create security risks for users and not even the first time for Support Assistant in particular.

In April 2020, it was revealed that HP Support Assistant suffered from at least ten elevation of privilege and remote code execution vulnerabilities, some remaining unpatched since October 2012 and for a year after their disclosure to HP.

Considering the above, if you don't need or use your computer vendor's bloatware, deleting these tools would remove all associated risks.

Related Articles:

New 'Looney Tunables' Linux bug gives root on major distros

CISA: Critical Microsoft SharePoint bug now actively exploited

CISA urges software devs to weed out SQL injection vulnerabilities

GitHub’s new AI-powered tool auto-fixes vulnerabilities in your code

Ivanti fixes critical Standalone Sentry bug reported by NATO