CVE-2023-24587

Vulnerability

Insufficient control flow management in the firmware of certain Intel(R) Optane(TM) SSD products may allow a privileged user to trigger denial of service via local access [1]. The affected products include the Intel Optane SSD 905P series, Intel Optane SSD 900P series, and Intel Optane Memory H10/H20 series, with specific firmware versions prior to the fix [1].

Exploitation

To exploit this vulnerability, the attacker must already have privileged access (administrator or root) on the system where the vulnerable SSD is installed [1]. With local access and elevated privileges, the attacker can send a sequence of commands that cause the firmware to enter an uncontrolled state, leading to denial of service [1].

Impact

Successful exploitation results in denial of service, meaning the SSD becomes unresponsive, potentially causing system crashes, data unavailability, or inability to boot [1]. The attack does not lead to information disclosure or code execution; it only affects availability [1].

Mitigation

Intel released firmware updates to address this vulnerability. The fixed firmware versions are: for the 900P series (driver ver. 8.0.0.1079 or later), 905P series (driver ver. 8.0.0.1079 or later), and H10/H20 series (driver ver. 8.0.0.1079 or later) [1]. Users should update to the latest firmware via the Intel SSD Toolbox or the Intel Memory and Storage Tool. No workaround is available if the user cannot apply the firmware update [1].