CVE-2020-35686
📋 TL;DR
This vulnerability allows local attackers to escalate privileges on HP Windows 10 computers by planting a malicious DLL that the SECOMN service loads. It affects Sound Research DCHU model software component modules (APO) on HP systems. Attackers could gain SYSTEM-level access from a lower-privileged account.
💻 Affected Systems
- Sound Research DCHU model software component modules (APO)
📦 What is this software?
⚠️ Risk & Real-World Impact
Worst Case
Complete system compromise with SYSTEM privileges, enabling installation of persistent malware, credential theft, and lateral movement across the network.
Likely Case
Local privilege escalation allowing attackers to bypass security controls, install unauthorized software, and access sensitive system resources.
If Mitigated
Limited impact if proper application whitelisting, DLL signing verification, and least privilege principles are enforced.
🎯 Exploit Status
Requires local access to plant DLL and trigger service reload. DLL hijacking is a well-known technique.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: 2.0.9.18 or later
Vendor Advisory: https://www.soundresearch.com/wp-content/uploads/static/CVE-2020-35686.html
Restart Required: Yes
Instructions:
1. Run Windows Update on affected HP systems. 2. Verify SECOMN service version is 2.0.9.18 or later. 3. Restart the system to ensure the updated service loads.
🔧 Temporary Workarounds
Disable SECOMN service
windowsTemporarily disable the vulnerable service if not required for operations
sc config SECOMN start= disabled
sc stop SECOMN
Enable DLL signature enforcement
windowsConfigure Windows to only load signed DLLs
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager" /v "SafeDllSearchMode" /t REG_DWORD /d 1 /f
🧯 If You Can't Patch
- Implement application whitelisting to prevent unauthorized DLL execution
- Restrict write permissions to SECOMN service directories for standard users
🔍 How to Verify
Check if Vulnerable:
Check SECOMN service version in Windows Services or via 'sc query SECOMN' and verify version is 2.0.9.17 or earlierCheck Version:
sc query SECOMN | findstr "BINARY_PATH_NAME"Verify Fix Applied:
Confirm SECOMN service version is 2.0.9.18 or later using 'sc query SECOMN' or checking service properties📡 Detection & Monitoring
Log Indicators:
- Windows Event ID 7036 for SECOMN service restarts
- Unexpected DLL loads from non-standard paths in Process Monitor logs
- Failed DLL signature verification events
Network Indicators:
- None - this is a local privilege escalation
SIEM Query:
EventID=7036 AND ServiceName="SECOMN" | stats count by Computer