Researchers at SEC Consult discovered a vulnerability in Portrait Display, a software used by OEMs such as HP and Fujitsu on millions of notebooks.
The impacted product allows users to configure their displays (i.e. rotation, alignment, colors and brightness) via a software application instead of hardware buttons.
Portrait Displays’ products are used by several major vendors, including Sony, HP, Acer, Fujitsu, Philips, Dell, Benq, Lenovo, Sharp and Toshiba. However, SEC Consult could only confirm the vulnerability for Fujitsu’s DisplayView, HP’s Display Assistant and My Display, and Philips’ SmartControl applications.
The vulnerability, tracked as CVE-2017-3210, exists in the Portrait Displays SDK service and it allows any authenticated attacker to execute arbitrary commands and escalate their privileges to SYSTEM.
Portrait Displays has released a patch and advised users to install it immediately.
As an alternative, users can address the problem by removing the vulnerable service’s permissions via the “sc” command in Windows. CERT/CC has also released an advisory for this security hole.