CVE-2021-33077

Vulnerability

A vulnerability in the firmware of certain Intel SSDs, Intel Optane SSDs, and Intel SSD DC products arises from insufficient control flow management (CWE-691). This flaw affects products including, but not limited to, Intel Optane SSD 905P Series, Intel Optane SSD 900P Series, Intel SSD Pro 7600p Series, Intel SSD Pro 7600p Series, Intel SSD E 6100p Series, Intel SSD DC P4510/P4610/P4611 Series, and Intel SSD DC P4510/P4610/P4611 Series, among others, as detailed in the Intel advisory [1]. The vulnerability can be exploited by an attacker with physical access to the device.

Exploitation

An attacker must have physical access to the target system. The exploitation does not require authentication or user interaction. The specific steps involve inserting a specially crafted command via a physical interface (such as the PCIe or NVMe interface) to trigger the control flow management flaw. No special tools beyond standard hardware debugging or direct drive manipulation are needed, though the attacker must have a working knowledge of the drive's firmware commands.

Impact

Successful exploitation allows an unauthenticated attacker to escalate privileges to the firmware or kernel level. This could enable the attacker to execute arbitrary code with elevated privileges, potentially reading or modifying sensitive data stored on the drive, persistently compromising the device, or using the drive as a foothold for further attacks on the system.

Mitigation

Intel released a firmware update to address this issue; affected users should update to the latest firmware version for their specific product model as provided by Intel [1]. There are no alternative workarounds described in the advisory. Users can check the Intel product list and download the appropriate firmware from the Intel website [1]. The vulnerability is not currently listed on the CISA Known Exploited Vulnerabilities (KEV) catalog.