HP Elite/Elitebook/ProBook/ZBook prior 10.0.931.90 Conexant Systems Task mictray64.exe Keylogger information disclosure
| CVSS Meta Temp Score | Current Exploit Price (≈) | CTI Interest Score |
|---|---|---|
| 4.3 | $0-$5k | 0.00 |
Summary
A vulnerability was found in HP Elite, Elitebook, ProBook and ZBook. It has been rated as problematic. This affects an unknown function of the file mictray64.exe of the component Conexant Systems Task. The manipulation leads to information disclosure (Keylogger). This vulnerability is uniquely identified as CVE-2017-8360. Local access is required to approach this attack. No exploit exists. Upgrading the affected component is advised.
Details
A vulnerability was found in HP Elite, Elitebook, ProBook and ZBook. It has been rated as problematic. This issue affects an unknown function of the file mictray64.exe of the component Conexant Systems Task. The manipulation with an unknown input leads to a information disclosure vulnerability (Keylogger). Using CWE to declare the problem leads to CWE-200. The product exposes sensitive information to an actor that is not explicitly authorized to have access to that information. Impacted is confidentiality. The summary by CVE is:
Conexant Systems mictray64 task, as used on HP Elite, EliteBook, ProBook, and ZBook systems, leaks sensitive data (keystrokes) to any process. In mictray64.exe (mic tray icon) 1.0.0.46, a LowLevelKeyboardProc Windows hook is used to capture keystrokes. This data is leaked via unintended channels: debug messages accessible to any process that is running in the current user session, and filesystem access to C:\Users\Public\MicTray.log by any process.
The bug was discovered 04/28/2017. The weakness was disclosed 05/11/2017 by Thorsten Schroeder with modzero AG as Keylogger in Hewlett-Packard Audio Driver as confirmed blog post (Website). It is possible to read the advisory at modzero.ch. The vendor was not involved in the public release. The identification of this vulnerability is CVE-2017-8360 since 04/30/2017. Attacking locally is a requirement. The successful exploitation requires a simple authentication. Technical details of the vulnerability are known, but there is no available exploit. The attack technique deployed by this issue is T1592 according to MITRE ATT&CK. The advisory points out:
We have discovered a keylogger in an audio driver package by Hewlett-Packard. (...) So what's the point of a keylogger in an audio driver? Does HP deliver pre-installed spyware? Is HP itself a victim of a backdoored software that third-party vendors have developed on behalf of HP? The responsibility in this case is uncertain, because the software is offered by HP as a driver package for their own devices on their website. On the other hand, the software was developed and digitally signed by the audio chip manufacturer Conexant. Conexant is a manufacturer of integrated circuits, emerging from a US armaments manufacturer. Primarily, they develop circuits in the field of video and audio processing. Thus, it is not uncommon for Conexant audio ICs to be populated on the sound cards of computers of various manufacturers. Conexant also develops drivers for its audio chips, so that the operating system is able to communicate with the hardware. Apparently, there are some parts for the control of the audio hardware, which are very specific and depend on the computer model - for example special keys for turning on or off a microphone or controlling the recording LED on the computer. In this code, which seems to be tailored to HP computers, there is a part that intercepts and processes all keyboard input. Actually, the purpose of the software is to recognize whether a special key has been pressed or released. Instead, however, the developer has introduced a number of diagnostic and debugging features to ensure that all keystrokes are either broadcasted through a debugging interface or written to a log file in a public directory on the hard-drive. This type of debugging turns the audio driver effectively into a keylogging spyware.
The vulnerability was handled as a non-public zero-day exploit for at least 13 days. During that time the estimated underground price was around $0-$5k. The vulnerability scanner Nessus provides a plugin with the ID 100161 (Conexant Audio Driver MicTray.exe / MicTray64.exe Keylogger), which helps to determine the existence of the flaw in a target environment. It is assigned to the family Windows and running in the context l. The commercial vulnerability scanner Qualys is able to test this issue with plugin 370389 (HP Keylogger Detected).
Upgrading to version 10.0.931.90 eliminates this vulnerability. The upgrade is hosted for download at ftp.hp.com. A possible mitigation has been published 3 days after the disclosure of the vulnerability. The blog post contains the following remark:
All users of HP computers should check whether the program C:\Windows\System32\MicTray64.exe or C:\Windows\System32\MicTray.exe is installed. We recommend that you delete or rename the executable files so that no keystrokes are recorded anymore. However, the special function keys on the keyboards might no longer work as expected. If a C:\Users\Public\MicTray.log file exists on the hard-drive, it should also be deleted immediately, as it can contain a lot of sensitive information such as login-information and passwords.
The vulnerability is also documented in the databases at Tenable (100161) and SecurityTracker (ID 1038527†). modzero.ch is providing further details. Be aware that VulDB is the high quality source for vulnerability data.
Product
Vendor
Name
License
Website
- Vendor: https://www.hp.com/
CPE 2.3
CPE 2.2
Screenshot
CVSSv4
VulDB Vector: 🔍VulDB Reliability: 🔍
CVSSv3
VulDB Meta Base Score: 4.4VulDB Meta Temp Score: 4.3
VulDB Base Score: 3.3
VulDB Temp Score: 3.2
VulDB Vector: 🔍
VulDB Reliability: 🔍
NVD Base Score: 5.5
NVD Vector: 🔍
CVSSv2
| AV | AC | Au | C | I | A |
|---|---|---|---|---|---|
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| 💳 | 💳 | 💳 | 💳 | 💳 | 💳 |
| Vector | Complexity | Authentication | Confidentiality | Integrity | Availability |
|---|---|---|---|---|---|
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
| Unlock | Unlock | Unlock | Unlock | Unlock | Unlock |
VulDB Base Score: 🔍
VulDB Temp Score: 🔍
VulDB Reliability: 🔍
NVD Base Score: 🔍
Exploiting
Name: KeyloggerClass: Information disclosure / Keylogger
CWE: CWE-200 / CWE-284 / CWE-266
CAPEC: 🔍
ATT&CK: 🔍
Physical: Partially
Local: Yes
Remote: No
Availability: 🔍
Status: Not defined
EPSS Score: 🔍
EPSS Percentile: 🔍
Price Prediction: 🔍
Current Price Estimation: 🔍
| 0-Day | Unlock | Unlock | Unlock | Unlock |
|---|---|---|---|---|
| Today | Unlock | Unlock | Unlock | Unlock |
Nessus ID: 100161
Nessus Name: Conexant Audio Driver MicTray.exe / MicTray64.exe Keylogger
Nessus File: 🔍
Nessus Risk: 🔍
Nessus Family: 🔍
Nessus Context: 🔍
Qualys ID: 🔍
Qualys Name: 🔍
Threat Intelligence
Interest: 🔍Active Actors: 🔍
Active APT Groups: 🔍
Countermeasures
Recommended: UpgradeStatus: 🔍
Reaction Time: 🔍
0-Day Time: 🔍
Exposure Time: 🔍
Upgrade: Elite/Elitebook/ProBook/ZBook 10.0.931.90
Timeline
04/28/2017 🔍04/28/2017 🔍
04/30/2017 🔍
05/11/2017 🔍
05/12/2017 🔍
05/12/2017 🔍
05/12/2017 🔍
05/14/2017 🔍
05/19/2017 🔍
08/23/2024 🔍
Sources
Vendor: hp.comAdvisory: Keylogger in Hewlett-Packard Audio Driver
Researcher: Thorsten Schroeder
Organization: modzero AG
Status: Confirmed
CVE: CVE-2017-8360 (🔍)
GCVE (CVE): GCVE-0-2017-8360
GCVE (VulDB): GCVE-100-101087
OSVDB: - CVE-2017-8360 - Conexant Systems - mictray64 - Information Disclosure Issue
SecurityTracker: 1038527
Misc.: 🔍
Entry
Created: 05/12/2017 14:36Updated: 08/23/2024 09:36
Changes: 05/12/2017 14:36 (87), 09/30/2020 16:19 (1), 08/23/2024 09:36 (18)
Complete: 🔍
Cache ID: 216::103
Be aware that VulDB is the high quality source for vulnerability data.
No comments yet. Languages: en.
Please log in to comment.