CVE-2023-35003

Vulnerability

A path traversal vulnerability exists in some Intel(R) VROC (Virtual RAID on CPU) software prior to version 8.0.8.1001 [1]. The issue occurs due to improper input validation, enabling an authenticated user to traverse directories outside intended paths [1]. The affected versions are all releases before 8.0.8.1001 [1].

Exploitation

An attacker must have local authenticated access to the system [1]. The path traversal can be triggered by providing crafted file paths as inputs to the VROC software [1]. No special network position or additional privileges are required beyond standard user authentication [1]. The attacker can exploit this by launching the VROC application and supplying malicious path parameters to navigate the filesystem [1].

Impact

Successful exploitation can lead to escalation of privilege, allowing the attacker to gain higher-level access on the local system [1]. The path traversal may enable reading or writing files outside the intended scope, potentially leading to information disclosure or further compromise [1]. The exact impact depends on the system configuration and the attacker's subsequent steps [1].

Mitigation

Intel has released an update to address this vulnerability, with the fixed version being 8.0.8.1001 or later [1]. Users should update their VROC software to the latest available version from Intel's official support site [1]. No workarounds are provided in the advisory, and no known exploitation in the wild (KEV) has been reported as of publication [1].