Overview

A critical vulnerability has been reported in the Credential Provider module of the HyID Desktop application for Microsoft Windows OS. This vulnerability can be exploited to gain local admin privileges on a user’s endpoint.

 

Advisory Details  

Advisory ID

ASA-2024-0801

Issue Date

2024-09-11

SeverityCritical

 

Vulnerability Details

A security flaw in the Credential Provider module of the HyID Desktop app may allow a standard user to escalate their privileges to an administrator level under specific conditions. 


Conditions for Risk

The vulnerability is exposed when the HyID Desktop App fails to validate the TLS certificate of the HyID (HySecure) Server. TLS certificate can fail if any of these conditions are not met: 

  1. The TLS certificate on the Accops HyID (HySecure) server is not signed by a trusted CA of the user’s desktop.
  2. The TLS certificate of the Accops HyID server has expired.
  3. The HyID Desktop App for Windows is configured with the IP address or a different hostname than the

    “Issued to” field of the HyID server.

     


Who is not Impacted

This vulnerability does not impact customers with a valid TLS certificate on the HyID server and the HyID desktop app configured with the correct hostname. Also, customers not using the Credential Provider module to enable MFA at Windows login are not impacted.



Affected Products

Product/Module NameAffected Version

Credential Provider Module of Accops HyID Client for Windows

All Versions of Accops HyID Client for Windows


Products not affected

Product NameNot Affected Version
Tray Agent Module of Accops HyID Client for Windows
All Versions
Accops HySecure Client for MS Windows and all other OSAll Versions
On-Demand Accops HySecure Client for MS WindowsAll Versions
Accops HyWorks Client for MS Windows and all other OSAll Versions
Accops On-demand HyWorks Client for MS WindowsAll Versions

 

Resolutions

There are two resolutions possible:


Quick Configuration-based resolution: 


  1. If the TLS certificate on the HyID server is not valid or not signed by a trusted CA, please install the correct certificate so that the certificate validation does not fail. 
  2. The HyID desktop app should have a hostname that matches the "Issued To" field in the TLS certificate of the HyID server:
    1. Admin can go to each desktop and change the HyID server address.
    2. Alternatively, pushing this change from the HyID server to all users is possible. To make this

      change, please contact the Accops support team. This option is not available in the management console and can only be performed by Accops engineers from the command line.


Software Resolution:


An updated HyID desktop app for Windows has been released to address the vulnerability permanently. The Forgot Password functionality is fixed in the new version, so it cannot connect to the server if the TLS certificate validation fails. The details and download links are available in the support article: HyID Windows Client 1.1.10.4

 

Contact

Please reach out to support@accops.com if you have more questions about this update.