Overview
A critical vulnerability has been reported in the Credential Provider module of the HyID Desktop application for Microsoft Windows OS. This vulnerability can be exploited to gain local admin privileges on a user’s endpoint.
Advisory Details
| Advisory ID | ASA-2024-0801 |
| Issue Date | 2024-09-11 |
| Severity | Critical |
Vulnerability Details
A security flaw in the Credential Provider module of the HyID Desktop app may allow a standard user to escalate their privileges to an administrator level under specific conditions.
Conditions for Risk
The vulnerability is exposed when the HyID Desktop App fails to validate the TLS certificate of the HyID (HySecure) Server. TLS certificate can fail if any of these conditions are not met:
- The TLS certificate on the Accops HyID (HySecure) server is not signed by a trusted CA of the user’s desktop.
- The TLS certificate of the Accops HyID server has expired.
- The HyID Desktop App for Windows is configured with the IP address or a different hostname than the
“Issued to” field of the HyID server.
Who is not Impacted
This vulnerability does not impact customers with a valid TLS certificate on the HyID server and the HyID desktop app configured with the correct hostname. Also, customers not using the Credential Provider module to enable MFA at Windows login are not impacted.
Affected Products
| Product/Module Name | Affected Version |
|---|---|
Credential Provider Module of Accops HyID Client for Windows | All Versions of Accops HyID Client for Windows |
Products not affected
| Product Name | Not Affected Version |
|---|---|
| Tray Agent Module of Accops HyID Client for Windows | All Versions |
| Accops HySecure Client for MS Windows and all other OS | All Versions |
| On-Demand Accops HySecure Client for MS Windows | All Versions |
| Accops HyWorks Client for MS Windows and all other OS | All Versions |
| Accops On-demand HyWorks Client for MS Windows | All Versions |
Resolutions
There are two resolutions possible:
Quick Configuration-based resolution:
- If the TLS certificate on the HyID server is not valid or not signed by a trusted CA, please install the correct certificate so that the certificate validation does not fail.
- The HyID desktop app should have a hostname that matches the "Issued To" field in the TLS certificate of the HyID server:
- Admin can go to each desktop and change the HyID server address.
- Alternatively, pushing this change from the HyID server to all users is possible. To make this
change, please contact the Accops support team. This option is not available in the management console and can only be performed by Accops engineers from the command line.
Software Resolution:
An updated HyID desktop app for Windows has been released to address the vulnerability permanently. The Forgot Password functionality is fixed in the new version, so it cannot connect to the server if the TLS certificate validation fails. The details and download links are available in the support article: HyID Windows Client 1.1.10.4
Contact
Please reach out to [email protected] if you have more questions about this update.